Crypto security firm vows refunds for victims of Merlin DEX scam after auditing code

The crypto security firm that audited the Merlin decentralized exchange's code announced plans to compensate victims after the team behind the project absconded with nearly $2 million days after the audit was completed.

CertiK, a well-known security and smart-contract audit firm, "is exploring a community compensation plan" after members of the Merlin team swiped the funds from the project's smart contract this week, CertiK said in a tweet. More details about the plan will be released in future, it added.

Initially believed to be a hack, security analysts, including CertiK, eventually concluded that it was a rug pull — an exit scam frequently encountered in the DeFi space where one or more members of a crypto project seize control and steal funds locked within the protocol. The incident occurred just a few days after CertiK conducted a code audit for Merlin, causing commentators on Crypto Twitter to blame the security auditor for the incident.

"As CertiK works tirelessly to resolve the situation, the company will continue to provide updates and ensure transparency throughout the process," CertiK told The Block. "We are committed to protecting the community and maintaining the highest level of security standards in the blockchain ecosystem."

CertiK, which raised $88 million in funding at a $2 billion valuation last year, audits smart contracts of DeFi projects. Due to the immutable nature of blockchain technology, projects often pay audit firms like CertiK to demonstrate their commitment to security measures before deploying a smart contract. The developers of Merlin, a decentralized exchange that operated on the zkSync Layer 2 blockchain, also contacted CertiK for an audit of their smart contract.

Merlin scammers 'based in Europe'

CertiK said it planned to cooperate with law enforcement to track down the rogue developers responsible for the scam and has offered a 20% bounty (worth about $400,000) for the return of the stolen funds.

"Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful," CertiK elaborated.

Merlin allowed crypto users to provide liquidity by allocating their tokens to its smart contract in exchange for rewards. However, the developers who forked the smart contract from another decentralized exchange called Camelot, granted themselves admin privileges. This enabled them to seize user funds at any time with the help of the admin key.

CertiK's audit of Merlin did warn of risks, including the developers' privileged access to funds deposited in the smart contract. Yet users who trusted the project still deposited funds into its liquidity pools.

CertiK acknowledged the difficulty in detecting malicious developer intentions, stating, "While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls."

The firm told The Block it was the first time it had decided to pay compensation after one of their clients cheated its investors.