More than $1 million was stolen from a cryptocurrency platform after an audit of its code
Cryptocurrency platform Merlin was stolen over $1 million immediately after a successful audit of its code
The hack occurred despite a positive assessment from leading blockchain project code reviewers
Decentralized exchange Merlin, which operates in the zkSync ecosystem, was hacked for more than $1 million immediately after it passed a software code audit from smart contracts experts Certik.
On the morning of April 26, attackers withdrew about $850,000 worth of USD Coin Stablecoins (USDC) and several other relatively illiquid tokens from Merlin. The data in the blockchain suggests that a certain entity that controls the exchange's liquidity pool was able to withdraw the funds. This may suggest that the attack was not technically sophisticated and that the theft itself may have been the work of a project insider.
The attack happened despite the fact that Merlin was audited by CertiK, a market leader in auditing the software code of blockchain projects. The service's conclusion from the Merlin audit states that the exchange's code "does not contain any critical vulnerabilities."
Certik representatives wrote on social media that they are investigating the incident. Their initial findings point to a potential problem with the management of the project's private cryptographic keys giving access to funds. "An audit cannot completely prevent key issues, but we always look to projects for best practices," Certik said.
Merlin's developers have asked users to revoke the permissions of wallets connected to its site. They say they are analyzing a possible vulnerability in the protocol, but had no comment at the time of publication.
Matter Labs is behind the development of the zkSync "second-tier" blockchain. In November 2022, it led several investment rounds totaling $258 million with LightSpeed, Andreessen Horowitz, and major crypto venture capital firms Blockchain Capital and Dragonfly.
The project is considered a potential candidate to distribute tokens in the form of an airdrop for activity in its ecosystem projects, which include, among others, the hacked Merlin platform.