In a shocking turn of events, $1.8M vanished during Merlin's Liquidity Generation Event, raising suspicions about whether it was a hack or a well-planned rug pull. Merlin, a DEX native to zksync L2, was launching its token (MAGE) when the incident occurred. This article delves into the details of the incident and its implications on the DeFi space.
The Merlin DEX hack or rug pull incident occurred during the MAGE token sale, which was part of a 3-day Liquidity Generation Event. The core of the issue lies in the max approvals granted to the Feeto address when the liquidity pools were deployed. These max approvals essentially gave the individual(s) controlling the Feeto address unfettered access to the pool's assets, enabling them to drain the funds.
The attackers exploited this vulnerability, systematically draining the liquidity pools where users were depositing their funds as part of the MAGE token sale. They then bridged the stolen assets to Ethereum (ETH), converting them into a more liquid and easily transferable form. This allowed the attackers to move the funds to other addresses, further obfuscating the trail and making it harder to trace their steps.
In the aftermath of the incident, Merlin conducted a post-mortem investigation to determine the cause of the security breach and identify the responsible parties. The results of the investigation pointed to the back-end development team as the main culprits behind the attack. According to Merlin, the developers had maliciously manipulated the smart contracts and exploited the max approvals feature, giving them the ability to drain the liquidity pools at will.
Following these revelations, Merlin has taken action to hold the developers accountable for their actions. They have shared the developers' GitHub profiles and claimed to have contacted Serbian authorities to pursue legal action against the individuals involved. Meanwhile, the DeFi community has been left reeling from the attack, questioning the security of not only Merlin DEX but also other projects within the rapidly growing ecosystem.
This incident marks the first attack on zksync, a zero-knowledge Ethereum rollup whose mainnet went live in March. With the new environment under scrutiny, the value of certain audit styles comes into question. Merlin had passed its second audit by Certik just two days before the attack, prompting doubts about the firm's value to the space. Certik had highlighted the issue of trust in their initial audit, but it was marked as "Resolved" after Merlin's team committed to using a multisig.
The Blame Game and the Need for Personal Responsibility
As the blame game continues, Certik is considering a "community compensation plan" to cover the losses. But this incident serves as a stark reminder that quick and dirty audits may not be sufficient for multimillion-dollar protocols, and personal responsibility is essential to stay safe.
In a follow-up development, Certik and Merlin are exploring a $2M reimbursement plan for rug pull victims. Merlin has informed the relevant authorities, and the stolen assets have been tracked to two wallets. Certik has offered the developers a 20% white hat bounty to avoid legal repercussions.
As the DeFi space continues to evolve, incidents like this remind us of the importance of vigilance, security, and accountability in protecting users and their investments. The lines between hacks and rug pulls often blurred, especially when its the protocol developers themselves who are a part of the rug pull. More and more investors require transparency of the team to prevent such instances and enable further accountability.