ZKSync Dex Merlin according to code audit for over $ 1.8 million

Veröffentlicht: 26. April 2023, 20:15 Uhr

Aktualisiert: 26. April 2023, 20:23 Uhr

Von: Krypto News Österreich

Die auf Ethereum basierende dezentrale Börse (DEX) Merlin, die Zero-Knowledge-Sync (zkSync) verwendet, hat mehr als 1,8 Millionen US-Dollar in einem Liquiditätspool-Exploit verloren, Stunden nachdem die Smart-Contract-Sicherheitsfirma CertiK ihren Code geprüft hatte. Der Hack geschah am Mittwochmorgen während des öffentlichen Verkaufs von Merlins nativem Token MAGE, wobei der Angreifer mehrere Vermögenswerte, einschließlich USD, abschöpfte Coin (USDC), Ether (ETH) und andere illiquide Token. Merlins LP nach Code-Audit geleert Ein paar Stunden nach dem Exploit hat CertiK getwittert dass es den Vorfall untersuchte und daran arbeitete, seine Auswirkungen auf die Gemeinschaft zu verstehen. Die Sicherheitsfirma gab bekannt, dass ihre ersten Ergebnisse darauf hindeuteten, … — The decentralized stock exchange (Dex) based on Ethereum, which uses Zero-Knowledge-Sync (ZKSync), has lost more than $ 1.8 million in a liquidity pool exploit after the Smart Contract Security company Certik had checked its code. The hack happened on Wednesday morning during the public sale of Merlin's native token, with the attacker several assets, including USD, skimmed Coin (USDC), Ether (Eth) and other illiquid tokens. Merlins LP after code audit empty a few hours after the exploit, Certik tweeted that it examined the incident and worked on understanding its effects on the community. The security company announced that their first results indicated this ... (Symbolbild/KNAT)

The decentralized stock exchange (Dex) Merlin based on Ethereum, the Zero-Knowledge-Sync (ZKSync) used, has lost more than $ 1.8 million in a liquidity pool exploit after the smart-recontract security company Certik had checked its code.

The hack occurred on Wednesday morning during the public sale of Merlin's native token, with the attacker several assets, including USD, to skim down Coin (USDC) and other illiquids.

Merlins LP according to code audit

a few hours after the exploit has certik tweeted that it examined the incident and worked on understanding its effects on the community. The security company announced that its first results indicated that a problem with the administration of private keys could have led to the hack and not a exploit as far from it.

Certik said that the latest audit report for Merlin in the section "Decentralization efforts" pointed out to the centralization risk. The company insisted that audits could not prevent private keys, but always ensured that better practices were highlighted for projects.

As in the audit of April 24, 2023, Certik recommended that Merlin improved its centralized roles to a decentralized mechanism such as multi-signature walls to improve the security practices. The company also asked the minutes to implement a timelock function with a latency of at least 48 hours to avoid a single-point-of-key management error. Certik has also promised to work with the responsible authorities when a foul is discovered.

"We encourage all community members to completely check this information and all audits. While we master this challenging situation, we would like to assure you that we take all the necessary measures to protect the interests of our community," said Certik.

malignant code recognized

Interestingly Ezkalibur, another ZKSync dex and launchpad, unveiled It had identified the malignant code that enabled the hackers to skim Merlin's money. The Dex said he found two code lines in the initialization function that provided the address of Feeto Approval to transfer an unlimited amount of tokens from the contract address.

📢 We have carried out some research on Merlin Smart Contracts and identified the malignant code that is responsible for removing funds.

These two code lines in the initialization function essentially grant the approval for the desired address, an unlimited (type (uint256) .max) ... pic.twitter.com/miksh4hkhb

- Ezkalibur ∎ (@zkaliburdex) 26. April 2023

In the meantime the Merlin team Asked User can revoke access to the connected site in their wallets while analyzing the cause of the exploit.