DEX Merlin and CertiK Plan to Compensate $2M to Users Impacted in Rug Pull

A rogue developer behind the hyped launch allegedly conducted the rug pull on Wednesday.

AccessTimeIconApr 27, 2023 at 6:56 a.m. UTC
Updated Apr 27, 2023 at 3:04 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

ZkSync-based decentralized exchange (DEX) Merlin plans to compensate users impacted in a nearly $2 million rug pull with blockchain audit firm CertiK, a representative for CertiK told CoinDesk in an email on Thursday.

A rug pull is a type of exit scam in which the perpetrators create a new token, launch a liquidity pool for it and pair it with a base token, such as ether (ETH) or a stablecoin such as dai (DAI). A liquidity pool is a large pool of tokens a protocol uses to fulfill trades, as opposed to an order book system where buyers and sellers list their trade orders and wait to be filled.

“CertiK is actively investigating the recent Merlin DEX exit scam, where rogue developers are suspected of causing the loss of around $2 million in user funds,” the representative said. “Working closely with the remaining Merlin team, CertiK will initiate a compensation plan to cover the lost funds for affected users.”

“Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful,” they added.

The rogue developer is urged to return 80% of the stolen funds and accept a 20% white-hat bounty, CertiK said. On its part, CertiK emphasized that although private key privileges are outside the scope of a smart contract audit, they are committed to assisting impacted users in this case.

Merlin was seemingly exploited for over $1.8 million on Wednesday morning during a public sale of its mage (MAGE) tokens. The attack occurred despite Merlin touting an audit conducted by blockchain security firm CertiK.

Further analysis by firms and analysts alleged the attack was conducted by a rogue developer who held private keys to Merlin’s smart contracts – allowing them to withdraw all liquidity from the protocol.

Edited by Parikshit Mishra.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.