Merlin, an Ethereum-based decentralized exchange (DEX) using zkSync layer-2 protocol, has suffered a security incident, which saw roughly $1.8 million in funds lost during a public sale of its mage (MAGE) tokens.
According to blockchain security company PeckShield, the attackers bridged USDC tokens worth $850,000 from zkSync to Ethereum. Additionally, the hacker sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.
The incident has been confirmed by the Merlin team in a Twitter post.
“We are analysing the exploit of our protocol and would stress that everyone carries out this step as a precaution,” the team said.
The company, which had recently undergone an audit by blockchain security firm CertiK, recommended users to revoke wallet/sign permissions connected to the exploited platform.
For its part, CertiK said that it is investigating the Merlin incident, and that initial findings point to a potential private key management issue rather than an exploit as the root-cause.
eZKalibur, another zkSync-based decentralized exchange, claims to have found the malicious code responsible for the draining of funds. The company says that the problem stems from the initialize function, where two lines of code grant approval for the feeTo address to transfer an unlimited amount (type(uint256).max) of token0 and token1 from the contract's address.
In this case, the feeTo address could potentially call the transferFrom function on the respective tokens, allowing the transfer of tokens from the contract's address to itself.
Earlier this month, Singapore-based cryptocurrency exchange Bitrue suffered a hack that resulted in the theft of $23 million worth in digital assets, including Ether and Shiba Inu.
The company said that the affected hot wallet only contained less than 5% of its overall reserves, and that the rest of its wallets were not impacted.