Blockchain security firm freezes $160K stolen in Merlin DEX ‘rugpull’
Smart contract auditor CertiK claims to have blocked $160,000 from Merlin, a zk-Sync-based decentralized exchange (DEX) which has been the center of a rogue insider “rugpull” that lost users $1.8 million last week.
CertiK shared the news of its successful $160,000 freeze of the stolen funds in an update to its 257,700 Twitter followers on May 5.
“We have successfully frozen $160K of the stolen funds with the help of partners,” CertiK said, adding that they’re continuing to monitor the movement of the stolen funds:
We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
— CertiK (@CertiK) May 4, 2023
The firm explained that they tried to “collaborate” with Merlin to recover the funds stolen from the April 25 “rugpull” but the effort was to no avail.
It led the firm to reach out to law enforcement in the United States and the United Kingdom in an attempt to uncover the identities of the pseudonymous operators:
“This lack of cooperation has complicated our efforts to validate and aid victims. We are focusing on working with law enforcement and have submitted information to relevant US & UK agencies.”
“We are exploring all possibilities to fight exit scams with the $2M we’ve committed,” CertiK added.
The security firm believes the “rogue developers” are based in Europe, according to an earlier post.
As for the exit scam, CertiK said “Merlin insiders abused the owner’s wallet privileges,” which is consistent with its initial finding that it came from a private key issue as opposed to an exploit.
Merlin claims the rug pull was carried out by its back-end team, which they claim to have put a “high degree of trust in.”
We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.
— Merlin (@TheMerlinDEX) April 26, 2023
Related: April’s crypto scams, exploits and hacks lead to $103M lost — CertiK
CertiK, on the other hand, attributed part of the blame to themselves for failing to properly inform users of the centralization risks.
In a note to Cointelegraph, the firm said they would place more emphasis on this in future audit summaries.
“We are working to improve the clarity of our audit summaries in our reports – especially around centralization risks — and to better communicate with the community about the purpose of an audit.”
Going forward, CertiK will prioritize centralization risks in audit summaries to ensure users have a complete picture of potential risks.
We recognize that audit reports can be highly technical documents, and it’s our job to communicate the risks clearly and transparently.
— CertiK (@CertiK) May 4, 2023
CertiK however stressed that smart contract auditors shouldn’t be held fully responsible for failing to identify rug pulls:
“Code Audits serve the purpose of uncovering vulnerabilities, not to detect a potential rugpull. Its important to recognize that many projects both large and small have centralization issues flagged, and the vast majority do not result in a rugpull,” the firm said.
The firm launched a $2 million compensation plan to cover the funds lost as a result of the “exit scam” on April 27.
The firm added that the funds pledged will be used to prevent exit scams and assist victims where possible.
Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them