Security scandal in crypto: fraud by Merlin heats tempers

A security scandal in crypto is heating up tempers. A verified DeFi protocol uses a built-in backdoor to fool investors and extort millions. The special feature: The dApp called Merlin previously received a certificate from the auditing company CertiK.

Table of Contents

Security scandal in crypto: fraud by Merlin heats tempers

On March 31, the developers first presented their new project. It is called Merlin and is said to exist as both a DEX and a liquidity pool in Ethereum’s zkSync scaling solution. The DEX generated a lot of interest on Twitter, and in just a few weeks, amassed over 12,000 followers.

On April 24-25, Merlin raised investments that totaled $2 million in ten short hours. Just a day later, all that money suddenly disappeared. The inventors of the platform initially speak of an exploit.

The rapid loss of all liquidity is particularly tragic given that Merlin hired CertiK, a blockchain security company. CertiK checked the program code of the dApp and rated it with 90 out of 100 points. The safety check was completed on April 14 after four days.

We are pleased to inform that @CertiK has completed our audit of all of our contracts🧙‍♂️; the entire report and audit score are available at: https://t.co/4rzhs0cZUZ.
— Merlin (@TheMerlinDEX) April 24, 2023

The fact that the DEX Merlin was still able to successfully exit fraud is now falling on CertiK’s toes. In the crypto scene, the horror at the apparently half-hearted work of the security auditors is enormous.

How Certik conducts their audits pic.twitter.com/Lco10WBtw3
— Edgy – The DeFi Edge 🗡️ (@thedefiedge) April 26, 2023

There are now memes on Twitter depicting CertiK’s work as dishonest or sloppy. The well-known crypto user The DeFi Edge shares a post that shows a security guard who does his job uncleanly. He writes: “This is how CertiK conducts its security checks.”

CertiK overlooks backdoor independent developers

It is the brains behind Merlin who first became aware of the apparent exploit on April 26, urging users on Twitter to stop interacting with the dApp to protect funds.

At the time, it was said that the exploit would be taken care of and the error responsible would be fixed. However, it quickly becomes clear that this is not an error. Instead, the three developers allegedly worked together to build a backdoor to be able to withdraw funds in pools on their own. Two million US dollars in damage.

“In the early hours of that day, several members of the back-end team flushed all of our smart contracts .” Write Merlin on Twitter on April 26th.

Merlin's Post-Mortem

it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform.

In the early hours of this morning the several members of the Back-End Team drained all of our Contracts.
— Merlin (@TheMerlinDEX) April 26, 2023

After the backdoor scandal became known, CertiK quickly adjusted its evaluation of the program code. Instead of the previous 90 points, the test is suddenly adjusted to 38 points. The rating level drops from good to critical .

In a CertiK ranking list, the adaptation is evident to this day. Once upon a time, the DEX Merlin was prescribed at the 490th rank of all exams. In the meantime, the program has been postponed to 10,893. space without the underlying program code having changed.

CertiK itself, however, denies the blame for the million-dollar damage. Hugh Brooks, Director of Safety, even implied with his statement that the error had already been pointed out before the rug pull.

An audit is not a seal of approval, not a “pass” or “fail”, but an objective review of a project’s code. We always encourage users to read and understand audit reports before committing to any project.

Many people in the crypto scene suspect that CertiK accepts money willingly, but does not carry out the checks with the necessary seriousness.

The inventors of Merlin want to pay off all injured investors. They initiated criminal prosecution against the three developers responsible. They are apparently Serbian citizens, known on Github by the names OneDev0411 , dotnetstar82 and pos-ninja .

The work on the DEX will not be abandoned. After the current problem is solved, they want to continue the development of the original idea.

CertiK announces redress

Due to the huge outcry in the crypto scene, CertiK announced a reparation.

CertiK is exploring a community compensation plan to recover the $2 million in user funds lost from the Merlin DEX rug pull.

Writes the company on Twitter. In addition, there is hope that the funds will be obtained through the work of the Serbian authorities.

CertiK is offering a $400,000 reward to the programmers responsible if they voluntarily return the stolen $2 million. Nevertheless, CertiK remains on its position. A problem has been pointed out. However, there was no actual error and therefore could not be criticized.

Although we addressed the issues of permissions in the audit report, we want to help affected users. We are determined to find those behind this incident. More details on compensation will be released soon.

1/ CertiK is exploring a community compensation plan to cover the ~$2M of user funds lost in the Merlin DEX rug pull. Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down.

⬇️⬇️⬇️
— CertiK (@CertiK) April 26, 2023

In the security analysts’ audit report, the back door that led to theft emerges as a “centralization” issue. CertiK consulted Merlin about this issue. Critics on Twitter say the critical code should have been flagged as a security risk because it was not critical to the DEX’s operation, but posed a threat.