ZkSync-Based DEX Merlin Drained of $1.8M During Public Token Sale Despite ‘Audit’

The project garnered hype among Crypto Twitter users for its attractive yield offered on deposits.

AccessTimeIconApr 26, 2023 at 5:53 a.m. UTC
Updated Apr 27, 2023 at 10:29 a.m. UTC

New zkSync-based decentralized exchange Merlin was seemingly exploited for over $1.8 million Wednesday morning during a public sale of its mage (MAGE) tokens.

Exploiters drained some $850,000 worth of USD coin (USDC) from Merlin along with some more relatively illiquid tokens. As such, blockchain data suggested that an entity with control of the liquidity pool was able to drain the funds easily – meaning this was not a complex or sophisticated exploit.

The attack occurred despite Merlin touting an audit conducted by blockchain security firm CertiK. “No Critical Findings,” the audit concluded, as CertiK’s website data shows.

Merlin was offering its MAGE tokens in a public sale to investors in a three-day event without any hard cap. “$MAGE will begin trading at $45, with a $850K market value. The total amount raised will determine the final price of tokens for all users,” developers said Tuesday.

Merlin developers did not issue any statement regarding the funds drain on Wednesday at press time.

On-chain data provided by Arkham Intelligence reveals that $1.82 million in total had been stolen, with the funds being bridged back to the Ethereum network before being converted to ether.

UPDATE (April 26, 14:33 UTC): Updates total amount stolen, adds details that hacker bridged funds to Ethereum.

UPDATE (April 26, 16:37 UTC): Adds information about CertK's Twitter response to the loss of funds, including plans for compensation.

UPDATE (April 27, 10:29 UTC): Removes Certik's Twitter response from end of story after company deletes tweet.

Edited by Parikshit Mishra.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.