Certik Plans Compensation for $2M Merlin DEX Rug Pull Victims

Smart contract auditor Certik is planning to compensate the victims of the zkSync decentralized exchange (DEX) Merlin rug pull incident, where rouge developers drained about $2 million in users’ funds. It is important to recall that Certik audited Merlin DEX.

The official Twitter handle of Certik on Thursday, April 27^th, announced that it was “exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull.” The auditor has also offered the rogue developer a 20% white hat bounty but denies any deficiencies in its Merlin audit report.

1/ CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.

⬇️⬇️⬇️

— CertiK (@CertiK) April 26, 2023

Merlin DEX $2 Million Incident

Merlin presented itself as a zkSync-based decentralized exchange (DEX) for true yields and liquidity. In the early Wednesday hours, April 26^th, the DEX was seemingly exploited for over $1.8 million during the three-day public sale of its mage (MAGE) tokens.

Data from various blockchain intelligence platforms suggested that $1.82 million in total had been stolen from liquidity pools. Merlin lost about $850,000 worth of USD Coin (USDC) and some more relatively illiquid tokens. According to the reports, an exploiter with control over the liquidity pool was able to siphon the funds easily.

However, investigations hinted about a rug pull rather than an exploit, which Certik and Merlin’s Twitter account confirmed later.

Merlin, on Twitter, said:

“Merlin’s Post-Mortem, It is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. In the early hours of this morning, several members of the Back-End Team drained all of our Contracts.”

Merlin's Post-Mortem

it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.

In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.

— Merlin (@TheMerlinDEX) April 26, 2023

Merlin always touted an audit conducted by CertiK with no critical findings. In response, Certik maintained that it highlighted private key privilege issues in the report. “In the audit report “Merlin DEX,” the centralization risk is highlighted under the section “Decentralization Efforts,” Certik said.

Our response teams have been working diligently to understand the circumstances and assess the extent of the impact on our community.

In the audit report "Merlin DEX", the centralization risk is highlighted under the section “Decentralization Efforts". pic.twitter.com/FE48pFGJmr

— CertiK (@CertiK) April 26, 2023

Now that the incident is confirmed as a rug pull, the auditor and the Merlin remaining team are working to recover and reimburse the victims. Certil announced:

“We urge the rogue developers to accept a 20% white hat bounty. Although we raised the private key privilege issues in the audit report, we want to assist impacted users. We are determined to track down those behind this rug pull. More compensation details will be released.”

It has also been established that rouge developers are based in Europe, probably in Serbia. Both parties are now working with law enforcement to track them down.