Blockchain audit firm CertiK will cover the losses of Merlin DEX users affected by a rogue developer who drained the protocol’s liquidity pool.
Merlin DEX, a decentralized exchange based on zkSync technology, was exploited for over $1.8 million on Wednesday by a rogue developer with access to the protocol’s smart contracts.
The attack happened during a public sale of the protocol’s native token, mage (MAGE), despite Merlin’s audit from blockchain security firm CertiK.
A rug pull is an exit scam in which the perpetrators create a new token, launch a liquidity pool, and pair it with a base token, like ether (ETH) or a stablecoin like dai (DAI).
A protocol uses a large pool of tokens, called a liquidity pool, to fulfill trades instead of an order book system that requires buyers and sellers to list and wait for their trade orders.
The rogue developer was able to withdraw all the liquidity from Merlin’s pool, leaving users with worthless tokens. The developer also tried to cover their tracks by deleting the protocol’s website, Twitter account, and Telegram group.
CertiK will compensate affected users for their losses and investigate the incident. They plan to initiate a compensation plan to cover lost funds. The audit firm said in an email to CoinDesk that it is “actively investigating” the incident and will initiate a compensation plan to cover the lost funds for affected users.
CertiK stated that the rogue developers are in Europe and will cooperate with law enforcement if negotiation fails. The firm urged the developer to return 80% of the stolen funds and accept a 20% white hat bounty.
CertiK also said it would help impacted users despite private key issues. The firm also cautioned users to research new projects and token sales.
Merlin DEX was one of the first decentralized exchanges to use zkSync, a layer-2 scaling solution that aims to improve the speed and cost of transactions on Ethereum.
The protocol claimed to offer its users low fees, high throughput, and privacy features. However, the rug pull scam has exposed the vulnerability of new and untested projects in the crypto space.
