Decentralized exchange Merlin on Zksync, fraudulent outflow of about 250 million yen


Merlin unauthorized exfiltration

It was revealed on the 26th that decentralized exchange Merlin was hacked and over 250 million yen ($1.82 million) of funds were stolen. Merlin is one of the protocols on the L2 project “zkSync” of the crypto asset (virtual currency) Ethereum (ETH).

Liquidity pools (LPs), which lock up funds in smart contracts, were targeted. Hackers allegedly bridged all stolen funds from LPs onto the Ethereum chain.

Merlin just started a public sale of its own token MAGE at 00:00 on the 26th (Japan time). As a “Liquidity Generating Event (LGE),” Merlin planned to get ETH liquidity contributions from participants and allocate MAGE. Investors who participated in this public sale were provided with the benefit of a bonus airdrop of “Escrow Token (stMAGE)”, which received project dividends.

Also, in blogs on the 15th and 25th, the project team emphasized that security is a top priority and all smart contracts are fully audited by security company Certik before going on sale.

According to OxScope founder 0xBobie, the stolen funds were found in two wallets (a,b). Blockchain security firm PeckShield has confirmed that one account, 0x2744…9b7, has bridged approximately $850,000 worth of his USDCoin (USDC) to the Ethereum (ETH) chain. there is

connection:Ethereum L2 “zkSync” to recover ETH of about 230 million yen trapped

Post-audit hack

On Twitter, there is widespread speculation that the Merlin incident was a “rag pull.” One user claims that Merlin granted unrestricted authorization (type(uint256).max) to the attacker’s address based on a smart contract, causing the problem of illegally withdrawing funds from the pool. there is

Xen also posted a picture of Merlin and ZkSync’s Telegram group conversation (in which he was involved in an advisory role). Since the Merlin project team does not understand these mechanisms and appears to be confused by the unauthorized outflow, we speculated that it was a single action by the founder.

Source: Certik

Certik released the results of Merlin’s audit on the 24th. It notes a major risk that “under certain circumstances may result in the loss of funds or control of the project,” but the status is “Resolved.” It’s unclear if it detected abuse of “unrestricted approvals,” but the post-audit hacking incident has raised suspicions among the cryptocurrency community. According to an interview with Certik CEO Gu Ronghui published on the 26th, the company has a 70% share of the cryptocurrency security market.

What is zkSync

zkSync is an L2 solution classified as “zkEVM” compatible with Ethereum’s virtual machine (EVM). It utilizes the rollup technology “ZK Rollup” that introduces zero-knowledge proof.

▶Cryptocurrency Glossary

connection:DeFi’s 1inch, Deploy Protocol on Ethereum L2 ‘zkSync Era’

The post Decentralized exchange Merlin on Zksync, fraudulent outflow of about 250 million yen appeared first on Our Bitcoin News.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.