CertiK Claims to Freeze $160K Stolen in Merlin DEX Rug Pull

Smart contract auditor CertiK has claimed to have frozen $160K out of $1.8 million stolen in the zkSync-based Merlin DEX rug pull on April 25^th.

The official Twitter account of blockchain security firm CertiK announced the news on Thursday, May 4^th, saying that it is monitoring the movement of the stolen funds with law enforcement to recover the remaining funds. CertiK announced:

“We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.”

We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.

— CertiK (@CertiK) May 4, 2023

CertiK Pledges $2M to Fight Exit Scam and Help Victims

The Merlin DEX rug pull incident happened on April 25^th when a rouge back-end team drained all of the platform’s contracts. The incident occurred during the three-day public sale of its mage (MAGE) tokens, and the rouge developer/s were able to get away with nearly $2 million in users’ funds.

In the latest update, the security firm said it had managed to freeze $160K stolen in the incident. The team said that it tried to collaborate with the remaining members of Merlin but to no avail because “a number of core members were unwilling to verify their true identities.”

This lack of collaboration from the DEX team has slowed down the investigation and the recovery of funds. CertiK said:

“This lack of cooperation has complicated our efforts to validate and aid victims. We are focusing on working with law enforcement and have submitted information to relevant US & UK agencies. We are exploring all possibilities to fight exit scams with the $2M we’ve committed.”

It is important to recall that CertiK audited Merlin. CertiK denied any deficiencies in its audit report saying that it highlighted the private key privileges issue. It was a rug pull rather than an exploit.

However, the team admitted that although the centralization risks were highlighted, they were unable to outline the risks “as clearly as they needed to be.” Centralization risks should have been highlighted distinctly so users knew the whole picture. The firm plans to improve its report’s tone to communicate the risks “clearly and transparently.”

Although the centralization risks were called out in the report, we didn’t make the impact of these findings as clear as they needed to be.

The centralized privileges should have been distinctly highlighted so users were aware of the risks.

— CertiK (@CertiK) May 4, 2023

Blockchain Journal reported that CetiK announced a $2 million compensation plan to reimburse the victims. In the recent update, this $2 million will be used “to fight exit scams as well as help scam victims.”