Blockchain security firm freezes $160,000 stolen in Merlin DEX ‘rugpull’

[gpt3]rewrite

Smart contract auditor CertiK claims to have blocked $160,000 from Merlin, a zk-Sync-based decentralized exchange (DEX) that has been at the center of a fake insider “rugpull” that lost users $1.8 million last week.

CertiK shared news of the successful freezing of $160,000 of the stolen funds in an update to his 257,700 Twitter followers on May 5.

“We have frozen $160,000 of the stolen funds with the help of partners,” CertiK said, adding that they continue to monitor the movement of the stolen funds:

The firm explained that it tried to “cooperate” with Merlin to recover the money stolen from the April 25 “fight”, but efforts were to no avail.

That led the firm to reach out to law enforcement in the US and UK in an attempt to uncover the identities of the pseudonymous operators:

“This lack of cooperation has complicated our efforts to validate and assist victims. We are focused on working with law enforcement and have submitted information to relevant US and UK agencies.”

“We are exploring all options to combat the $2M exit fraud we have committed,” CertiK added.

The security firm believes the “rogue developers” are based in Europe, according to a previous post.

Regarding exit fraud, CertiK said “Merlin insiders abused owner wallet privileges,” which is consistent with its first find that it came from a private key issue as opposed to an exploit.

Merlin claims the blanket move was carried out by the back-end team, in whom they claim to have placed a “high degree of trust.”

Related: April’s Crypto Scams, Exploits and Hacks Lead to Lost $103 Million — CertiK

CertiK, for its part, attributed part of the blame to itself for not having properly informed users about the centralization risk.

In a note to Cointelegraph, the firm said it would place more emphasis on this in future audit summaries.

“We are working to improve the clarity of our audit summaries in our reports – particularly around centralization risks – and to better communicate with the community about the purpose of an audit.”

CertiK emphasized, however, that smart contract auditors should not be held fully responsible for not identifying blanket features:

“Code Audits serve the purpose of uncovering vulnerabilities, not discovering a potential exploit. It is important to recognize that many projects, both large and small, have centralization problems flagged, and the vast majority do not result in a move, the firm said.

The company launched a $2 million compensation plan to cover the funds lost as a result of the April 27 “exit scam”.

The firm added that the funds pledged will be used to prevent exit fraud and help victims where possible.

Blade: Crypto audits and bug rewards are broken: How to fix them

[gpt3]

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *