KEY POINTS

  • MerlinDEX, a ZkSync-based decentralized exchange, suffered an exploit this week
  • The exploit cost the DEX nearly $2 million in losses
  • MerlinDEX was audited by the blockchain security firm Certik

Certified Kernel Tech, more popularly known in the cryptocurrency space as Certik, denied responsibility for the controversy involving the ZkSync-based decentralized exchange (DEX) Merlin and said that it is currently working with the DEX to compensate users.

Many investors depend on smart contract auditing firms to make sure that their funds are safe but based on the recent turn of events, it looks like smart contract audits do not guarantee the safety of investments.

Blockchain security firm Certik issued a statement recently after a crypto project it audited experienced an exploit, which resulted in nearly $2 million in losses.

While the auditing firm denied responsibility for the lost funds, the surmounting pressure triggered by the backlash from the crypto community propelled Certik to investigate the case and work with the DEX to compensate the victims.

Illustration shows word "Crypto" and stock graph
Reuters

The incident was revealed by MerlinDEX on Wednesday. It said that the initiative experienced an exit scam caused by rogue developers from Serbia who allegedly drained the project's wallets of $1.82 million in funds.

"In the early hours of this morning the several members of the Back-End Team drained all of our Contracts," the DEX said in a tweet.

"They chose to carry out several on-chain transactions to drain all of Merlin's pools, public sale and manipulate our front-end contracts. This was done by implementing a function that allows a Call action to all Merlin Pairs alongside hidden Front-End Contracts.," it further revealed, adding that "the back-end team who also have access to our web-host had unknowingly manipulated our code to achieve their goal."

MerlinDEX also assured its customers that "our unwavering priority is to return all funds to affected parties and participants on the Merlin platform at the earliest opportunity. To that end, we are working alongside @Certik (Team DOXX by both Prospero & Alatar Recovery Plan) to reimburse all affected users."

Certik, on its part, maintained that it has no responsibility for what transpired, but noted that it "is actively investigating the recent MerlinDEX exit scam." It said that "private key privileges are outside the scope of a smart contract audit."

The audit firm also said in a tweet following the incident that its "response teams have been working diligently to understand the circumstances and assess the extent of the impact on our community."

The firm said that it highlighted the centralization risk under the Decentralization Efforts in its audit report of Merlin DEX.

"We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released," Certik said in a separate tweet in an attempt to recover the stolen funds.