Rogue Developer Conducts Rugpull on Merlin DEX
On Wednesday, a rogue developer behind the hyped launch allegedly conducted a rugpull on zkSync-based decentralized exchange Merlin. The attack caused a loss of nearly $2 million in user funds. In response, Merlin plans to compensate affected users in partnership with blockchain audit firm CertiK.
What is a Rugpull?
A rugpull is a type of exit scam in which the perpetrators create a new token, launch a liquidity pool for it, and pair it with a base token like ether (ETH) or a stablecoin like dai (DAI). A liquidity pool is a large pool of tokens that a protocol uses to fulfill trades, as opposed to an order book system where buyers and sellers list their trade orders and wait to be filled.
Compensation Plan with CertiK
According to a representative for CertiK who spoke to CoinDesk in an email on Thursday, the blockchain audit firm is actively investigating the recent Merlin DEX exit scam. CertiK is suspected of causing the loss of around $2 million in user funds. The representative said, “Working closely with the remaining Merlin team, CertiK will initiate a compensation plan to cover the lost funds for affected users.” CertiK has also indicated that they will collaborate with law enforcement authorities to track down the rogue developers if direct negotiation is unsuccessful. The rogue developer is urged to return 80% of the stolen funds and accept a 20% white hat bounty. Although private key privileges are outside the scope of a smart contract audit, CertiK is committed to assisting impacted users in this case.
Merlin’s Exploitation and Alleged Rogue Developer
Merlin was seemingly exploited for over $1.8 million on Wednesday morning during a public sale of its mage (MAGE) tokens. The attack occurred despite Merlin touting an audit conducted by blockchain security firm CertiK. Further analysis by firms and analysts alleged the attack was conducted by a rogue developer who held private keys to Merlin’s smart contracts, allowing them to withdraw all liquidity from the protocol.