New zkSync-based decentralized exchange Merlin was seemingly exploited for over $1.8 million Wednesday morning during a public sale of its mage (MAGE) tokens.
Exploiters drained some $850,000 worth of USD coin (USDC) from Merlin along with some more relatively illiquid tokens. As such, blockchain data suggested that an entity with control of the liquidity pool was able to drain the funds easily – meaning this was not a complex or sophisticated exploit.
Merlin was offering its MAGE tokens in a public sale to investors in a three-day event without any hard cap. “$MAGE will begin trading at $45, with a $850K market value. The total amount raised will determine the final price of tokens for all users,” developers said Tuesday.
Merlin developers did not issue any statement regarding the funds drain on Wednesday at press time.
On-chain data provided by Arkham Intelligence reveals that $1.82 million in total had been stolen, with the funds being bridged back to the Ethereum network before being converted to ether.
UPDATE (April 26, 14:33 UTC): Updates total amount stolen, adds details that hacker bridged funds to Ethereum.
UPDATE (April 26, 16:37 UTC): Adds information about CertK's Twitter response to the loss of funds, including plans for compensation.
UPDATE (April 27, 10:29 UTC): Removes Certik's Twitter response from end of story after company deletes tweet.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.