Merlin, a decentralized exchange (DEX) based on Ethereum (ETH) layer-2 protocol zkSync, confirmed it was exploited despite being audited by smart-contract auditor CertiK.
The DEX advised everyone connected to its site to revoke their wallets/sign permission. The team added that it was analyzing the exploit and urged everyone to follow its issued instruction.
Merlin was yet to respond to CryptoSlate’s request for comment as of press time.
CertiK says the hack is a potential private key management issue
CertiK said its initial investigations into the hack showed that it was a potential private key management issue rather than an exploit as the root cause.
The blockchain security firm noted that it highlighted the “centralization risk” under “Decentralization Efforts” in its audit of the firm. CertiK added that “audits cannot prevent private key issues.”
Meanwhile, CertiK assured that it would share relevant information with the authorities if it suspects foul play.
Despite CertiK’s explanations, some crypto community members have questioned the validity of the audits performed by the firm. CertiK is one of the biggest names in the blockchain security business.
MerlinDEX exploiter moving funds to exchanges
Blockchain security firm Peckshield reported that the Merlin DEX exploiter is already sending some of the stolen funds to exchanges.
According to the firm, the exploiter sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
Meanwhile, available information shows that two addresses were responsible for the exploit. An address starting with 0x2744 took $850,000 USDC and bridged it to Ethereum — while the other address, 0x2744d62, stole $844,000 USDC.
The post CertiK says it highlighted ‘centralization risks’ in Merlin DEX audit appeared first on CryptoSlate.