ZkSync-Based DEX Merlin Drained of $1.8M During Public Token Sale Despite ‘Audit’

The project garnered hype among Crypto Twitter users for its attractive yield offered on deposits.

AccessTimeIconApr 26, 2023 at 5:53 a.m. UTC
Updated Apr 27, 2023 at 10:29 a.m. UTC

New zkSync-based decentralized exchange Merlin was seemingly exploited for over $1.8 million Wednesday morning during a public sale of its mage (MAGE) tokens.

Exploiters drained some $850,000 worth of USD coin (USDC) from Merlin along with some more relatively illiquid tokens. As such, blockchain data suggested that an entity with control of the liquidity pool was able to drain the funds easily – meaning this was not a complex or sophisticated exploit.

The attack occurred despite Merlin touting an audit conducted by blockchain security firm CertiK. “No Critical Findings,” the audit concluded, as CertiK’s website data shows.

Merlin was offering its MAGE tokens in a public sale to investors in a three-day event without any hard cap. “$MAGE will begin trading at $45, with a $850K market value. The total amount raised will determine the final price of tokens for all users,” developers said Tuesday.

Merlin developers did not issue any statement regarding the funds drain on Wednesday at press time.

On-chain data provided by Arkham Intelligence reveals that $1.82 million in total had been stolen, with the funds being bridged back to the Ethereum network before being converted to ether.

UPDATE (April 26, 14:33 UTC): Updates total amount stolen, adds details that hacker bridged funds to Ethereum.

UPDATE (April 26, 16:37 UTC): Adds information about CertK's Twitter response to the loss of funds, including plans for compensation.

UPDATE (April 27, 10:29 UTC): Removes Certik's Twitter response from end of story after company deletes tweet.

Edited by Parikshit Mishra.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.