CertiK to launch compensation plan for $2M Merlin DEX exploit

Blockchain security firm CertiK is launching a compensation plan to cover the $2 million lost during a public sale of decentralized exchange Merlin’s MAGE token.

In a statement to Cointelegraph on April 26, CertiK reiterated it is investigating the exit scam and has also enlisted the remaining Merlin team to initiate the compensation plan. It said:

“Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful.”

The blockchain security company is urging the rogue developer to return 80% of the stolen funds, conceding 20% as a white hat bounty.

The firm also pointed out that private key privileges are “committed to assisting impacted users” despite them being outside the scope of a smart contract audit.

Merlin lost about $850,000 worth of USD Coin (USDC) and some more relatively illiquid tokens on April 26 during its three-day MAGE token public sale without any hard cap. Blockchain data suggests that an exploiter with control over the liquidity pool was able to easily siphon the funds.

We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.

These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB

— eZKalibur ∎ (@zkaliburDEX) April 26, 2023

CertiK, which audited Merlin’s code, responded with its initial findings pointing to a “potential private key management issue.”

We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.

While audits cannot prevent private key issues, we always highlight best practices to projects.

Should any foul…

— CertiK (@CertiK) April 26, 2023

Crypto Twitter questioned the CertiK audit, implying that there might be a rug pull.

Verichains founder Thanh Nguyen alluded to a “backdoor” present in Merlin’s code, saying it is a “clear security risk as there is no use case that requires its approval.”

3/4 However, in the Merlin code, there is a “backdoor” code (L87-88) that allows the feeTo of MerlinFactory to transfer all assets in the pair, in addition to the fee in the swap function. This backdoor is a clear security risk as there is no use case that requires its approval. pic.twitter.com/HAnwZT27ZS

— Thanh Nguyen (@redragonvn) April 26, 2023

“While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls,” CertiK said in a statement to Cointelegraph. “We encourage users to look for projects with a ‘KYC Badge’ as an added layer of security, signifying that the project has voluntarily gone through a KYC vetting process.”

Related: Ordinals Finance has conducted a $1M rug pull: CertiK

The firm explained that doing so can help reduce and mitigate the risk of insider threats such as rug pulls.

CertiK said it would continue providing updates on its compensation plan and ongoing investigation.

Update: This article was updated to reflect that only CertiK had proposed a compensation plan for the Merlin DEX exploit.