Ethereum-based decentralized exchange (DEX) Merlin, which uses zero-knowledge sync (zkSync), has lost more than $1.8 million in a liquidity pool exploit hours after smart contract security firm CertiK audited its code.
The hack occurred on Wednesday morning during the public sale of Merlin’s native token, MAGE, with the attacker siphoning several assets, including USD Coin (USDC), Ether (ETH), and other illiquid tokens.

Merlin’s LP Drained After Code Audit

A few hours after the exploit, CertiK tweeted that it was investigating the incident and working to understand its impact on the community. The security firm disclosed that its initial findings suggested that a private key management issue may have led to the hack and not an exploit, as widely believed.
CertiK said it pointed out the centralization risk in the recent audit report for Merlin under the “Decentralization Efforts” section. The firm insisted that while audits could not prevent private key issues, they always ensured to highlight better practices for projects.
As claimed in the audit dated April 24, 2023, CertiK recommended that Merlin improve its centralized roles to a decentralized mechanism like multi-signature wallets to enhance security practices. The firm also asked the protocol to implement a timelock feature with a latency of at least 48 hours to avoid a single point of key management failure. CertiK has also promised to work with appropriate authorities if any foul play is discovered.

“We encourage all community members to review this information and all audits fully. As we navigate this challenging situation, we want to assure you that we are taking all necessary measures to protect our community’s interests,” CertiK said.

Malicious Code Detected

Interestingly, eZKalibur, another zkSync DEX and launchpad,