Merlin DEX Insider Draw Results in CertiK’s Seizure of $160,000 in Stolen Funds
Blockchain security firm CertiK announced on May 4 that it had successfully blocked $160,000 in funds stolen from Merlin, a zkSync-based decentralized exchange that was recently subjected to a rogue internal carpet-pull. The fraudulent activity resulted in $1.8 million in losses for users last week.
According to a Twitter thread posted on May 4, CertiK reiterated that the insider has pulled the Merlin DEX rug. However, the blockchain security firm stated that its efforts to collaborate with Merlin to recover the funds were unsuccessful because other project team members were unwilling to verify their true identities.
The lack of cooperation has complicated efforts to assist victims of exploitation. However, CertiK is working with US and UK law enforcement to uncover the identities of the pseudonymous operators responsible for the rug.
CertiK believes that the ‘rogue developers’ behind the scam are based in Europe. According to the company, Merlin insiders abused the privileges of the owner’s wallet, which is consistent with its initial finding that the issue was a private key issue rather than an exploit.
Merlin claims that the rug-pulling was carried out by his backroom team, who they put “a high degree of confidence in.”
The zkSync-based decentralized exchange was hacked on April 25, just days after it was launched. CertiK noted at the time that the project had “central risks” in its audit of the company.
Announcing a $2 million compensation plan for exit scam victims
The blockchain security firm admitted that it did not adequately highlight this risk and that central privileges should have been clearly emphasized to educate users about the risks.
To prevent similar incidents from happening in the future, CertiK has pledged to prioritize centralization risks in audit summaries to ensure that users have a complete picture of potential risks.
CertiK announced a $2 million compensation plan to cover losses suffered by the exit scam victims on April 27.
The security firm also pledged to use the funds to help prevent similar scams in the future and provide assistance to those affected.