Crypto security firm vows refunds for victims of Merlin DEX scam after auditing code

Quick Take

  • CertiK, a smart contract audit firm, plans to compensate victims of this week’s exit scam involving their former client Merlin.
  • The Merlin scam resulted in the theft of nearly $2 million from the developers of smart contract that CertiK had audited.

The crypto security firm that audited the Merlin decentralized exchange's code announced plans to compensate victims after the team behind the project absconded with nearly $2 million days after the audit was completed.

CertiK, a well-known security and smart-contract audit firm, "is exploring a community compensation plan" after members of the Merlin team swiped the funds from the project's smart contract this week, CertiK said in a tweet. More details about the plan will be released in future, it added.

Initially believed to be a hack, security analysts, including CertiK, eventually concluded that it was a rug pull — an exit scam frequently encountered in the DeFi space where one or more members of a crypto project seize control and steal funds locked within the protocol. The incident occurred just a few days after CertiK conducted a code audit for Merlin, causing commentators on Crypto Twitter to blame the security auditor for the incident.

"As CertiK works tirelessly to resolve the situation, the company will continue to provide updates and ensure transparency throughout the process," CertiK told The Block. "We are committed to protecting the community and maintaining the highest level of security standards in the blockchain ecosystem."

CertiK, which raised $88 million in funding at a $2 billion valuation last year, audits smart contracts of DeFi projects. Due to the immutable nature of blockchain technology, projects often pay audit firms like CertiK to demonstrate their commitment to security measures before deploying a smart contract. The developers of Merlin, a decentralized exchange that operated on the zkSync Layer 2 blockchain, also contacted CertiK for an audit of their smart contract.

Merlin scammers 'based in Europe'

CertiK said it planned to cooperate with law enforcement to track down the rogue developers responsible for the scam and has offered a 20% bounty (worth about $400,000) for the return of the stolen funds.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

"Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful," CertiK elaborated.

Merlin allowed crypto users to provide liquidity by allocating their tokens to its smart contract in exchange for rewards. However, the developers who forked the smart contract from another decentralized exchange called Camelot, granted themselves admin privileges. This enabled them to seize user funds at any time with the help of the admin key.

CertiK's audit of Merlin did warn of risks, including the developers' privileged access to funds deposited in the smart contract. Yet users who trusted the project still deposited funds into its liquidity pools.

CertiK acknowledged the difficulty in detecting malicious developer intentions, stating, "While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls."

The firm told The Block it was the first time it had decided to pay compensation after one of their clients cheated its investors.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Andrew Rummer at
[email protected]