MERLIN DEX Hack

Merlin DEX on zkSync was exploited, with one exploiter stealing almost 850,000 USDC and transferring them to Ethereum. The amount drained from a liquidity pool on the DEX reached $1.82 million, and hackers transferred nearly 165,000 USDC to Binance and MEXC centralized exchanges. The Merlin team has released a post-mortem report stating that several members of the back-end team had drained all of their contracts, carried out on-chain transactions to drain all of Merlin's pools and manipulate front-end contracts.

Merlin DEX on zkSync was recently exploited, with one exploiter stealing almost 850,000 USDC and transferring them to Ethereum. Further reports by PeckShield revealed that hackers transferred nearly 165,000 USDC to Binance and MEXC centralized exchanges. The Merlin team has released a post-mortem report stating that several members of the back-end team had drained all of their contracts, carried out on-chain transactions to drain all of Merlin's pools and manipulate front-end contracts.

According to the report, the back-end team implemented a function that allowed a call action to all Merlin pairs alongside hidden front-end contracts, draining all of Merlin's pools and the public sale. Merlin had submitted all intended contracts to be used on their platform to Certik for a full audit, but there was a clear oversight on the overarching power that the owner had of the pools. Furthermore, the back-end team, who also had access to Merlin's web-host, unknowingly manipulated the code to achieve their goal.

Merlin's priority is to return all funds to affected parties and participants on their platform at the earliest opportunity. They are working alongside on-chain analysts to monitor the movement of the stolen funds and have notified relevant authorities in Serbia (region of the back-end team).

Wallet addresses of the contract owner/deployer: https://explorer.zksync.io/address/0xc0D6987d…b28182, https://explorer.zksync.io/address/0xc7fD785f…95f5b0