Apr 2023 - Merlin DEX Liquidity Pool Drained - $1.8m (Global)
"Merlin is an immutable, permissionless, community-focused DEX based on ZkSync."
"Merlin is based on a dual AMM capable of supporting both volatile (UniV2) and stable (Curve-like) exchanges while minimizing fees and maximizing speed and dependability."
"In addition, we’re introducing dynamic directional fees for our trading pairs: this allows for various fees to be set for each pool, as well as different fees based on the swap direction (buying/selling)."
"These innovative AMM features enable us to offer pool configurations that are significantly more specialized and tailored to the particular trading pairs."
"Earnings from the protocol, initially derived primarily from swap fees, will be partially redistributed to stMAGE users in the form of real yield and used to maintain a continuous buying pressure on MAGE."
"Merlin had passed its second audit by Certik just two days before the attack."
"We advise the client to carefully manage the privileged account's private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., multisignature wallets."
"However, this issue was marked as ‘Resolved’ by Certik, who stated that the Merlin team had promised to use a multisig. Enough users apparently didn’t read the audit fully, or simply didn’t care about the implications of trusting the project."
"$1.8M disappeared in a puff of smoke as Merlin pulled the classic DeFi magic trick."
"Merlin, a DEX native to the recently-launched zksync L2, was in the middle of a 3-day “Liquidity Generation Event” as part of its token (MAGE) launch."
"The alarm was initially raised by a community member before Peckshield spread the message. Merlin then acknowledged the incident, advising users to revoke permissions as a precaution."
"The rug mechanism was a straightforward case of draining the liquidity pools into which users were depositing as part of the MAGE token sale."
"This was made possible via max approvals granted to the Feeto address upon deployment of the pools. The individual/s in control of the Feeto address could then drain the pool of all assets, which were then bridged to ETH."
"Merlin’s own post-mortem places the blame squarely on the back-end development team. The thread includes links to developers’ github profiles and states that Serbian authorities have been contacted."
"The rugged funds were bridged back to Ethereum, swapped for ETH and transferred to other addresses."
Further Analysis
Merlin is a decentralized exchange (DEX) based on ZkSync and designed to support both volatile and stable exchanges with minimal fees and fast speed. The platform introduces dynamic directional fees that allow for various fees to be set for each pool and different fees based on the swap direction. Earnings from the protocol will be partially redistributed to stMAGE users and used to maintain a continuous buying pressure on MAGE. However, despite passing its second audit by Certik, Merlin suffered a rug pull during its Liquidity Generation Event, resulting in the loss of $1.8 million. The incident was caused by max approvals granted to the Feeto address upon deployment of the pools, which allowed the individuals in control to drain the pool of all assets and bridge them to ETH. Merlin's post-mortem places the blame on the back-end development team, and the rugged funds were bridged back to Ethereum, swapped for ETH, and transferred to other addresses.
How Could This Have Been Prevented?
Reliance on a single firm for auditing, and audit being done before the multi-sig was actually set up.
More Cryptocurrency Exchange Hacks/Scams/Frauds
Level Finance Gets Leveled > > < < Hundred Finance WBTC Optimism Exploit
Sources/Further Reading
Rekt - Merlin DEX - REKT (Dec 31)
Mage.Exchange | MerlinDEX (Dec 31)
Merlin A Zksync Dex Liquidity Lodger (Dec 31)
zkSync Era Block Explorer (Dec 31)
zkSync Era Block Explorer (Dec 31)
zkSync Era Block Explorer (Dec 31)
@TheMerlinDEX Twitter (Dec 31)
@PeckShieldAlert Twitter (Dec 31)
@BeosinAlert Twitter (Dec 31)
@wasgiventhatday Twitter (Dec 31)
https://medium.com/@nelsonblue41/introduction-to-merlin-d489a40cf4d6 (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|