Decentralized exchange Merlin suffered a loss of $1.82 million on April 26, as an attacker drained funds from a liquidity pool on the zkSync-based DEX. This incident raises concerns over the effectiveness of DeFi audits, as Merlin had been audited by the well-known security firm CertiK just days before the hack.

The hacker managed to deplete the liquidity pool of the Merlin DEX, which had only launched a few days prior, and was built on zkSync, a Layer 2 zk-rollup-based scaling solution for Ethereum. The funds, consisting of USDC tokens, were bridged from zkSync to Ethereum, with blockchain security firm PeckShield and several community members identifying the exploiter’s addresses.

Merlin’s Core Farming Pools had attracted significant investment in the days following the platform’s launch. The hack’s impact on the ongoing public sale of the MAGE token remains unclear, but it has certainly raised investor caution.

CertiK Audits Under Scrutiny

CertiK has audited numerous projects in the past that later fell victim to hacks, including PancakeBunny, Uranium Finance, and Meerkat Finance. This has led to growing doubt within the crypto community about the quality of audits. Furthermore, CertiK’s lavish praise of the Terra project has also raised eyebrows.

Snapshot of CertiX Website on 16 April 2023
Snapshot of CertiX Website on 16 April 2023

The Merlin hack occurred despite an audit report from CertiK that found “No Critical Findings”. CertiK suggested that the hack could be due to a private key management issue rather than an exploit, claiming that audits cannot prevent such issues. The firm also assured that it would share relevant information with authorities if foul play is suspected.

Tracking the Stolen Funds

The attacker has already begun moving some of the stolen funds to exchanges, with PeckShield reporting that $133,800 USDC has been sent to MEXC Global and $31,000 USDC to Binance.

$USDC has been transferred to CEXes from the Merlin DEX exploiters by PeckShied

This incident underscores the need for DeFi projects to focus on the quality of audits and their security measures to gain public trust. As the DeFi market continues to be a major target for hackers, the crypto community is becoming increasingly cautious of audits and their role in mitigating risk.