Merlin, a decentralized exchange using zkSync, appears to have been hacked for over $1.82 million immediately after receiving a code audit from smart-contract auditor Certik.

Certik tweeted that it is investigating the incident and that its initial findings suggest a potential issue with private key management — not necessarily a code exploit. 

"While audits cannot prevent private key issues, we always highlight best practices to projects," Certik said. "Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates."

Meanwhile, eZKalibur — a zkSync decentralized exchange and launchpad that, like Merlin, forked part of DEX Camelot's contract  — claims to have identified the malicious code responsible for the draining of funds.

"These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract's address," it explained while questioning the quality of Certik's audit. "In this case, the feeTo address could potentially call the transferFrom function on the respective tokens to transfer tokens from the contract's address to itself."

A finding like this should be reported at least as "major", if not "critical." eZKalibur commented to The Block, adding: "It can't be marked as a hidden and simple decentralization issue since, without a timelock, it could lead to an immediate drain of the totality of the funds deposited on the protocol, which is exactly what happened."

Merlin developers have since asked users to revoke wallet permissions connected to its website. They claim to be analyzing the exploit of the protocol.

Merlin did not immediately respond to a request for comment. The Block also contacted Certik.

This story is developing and has been updated with eZKalibur's claims and comments, as well as additional information.

source:theblock