Exchange
Blockchain and crypto asset exchange
Academy
Blockchain and crypto education
Learn & Earn
Earn free crypto through learning
Charity
Powering blockchain for good
Cloud
Enterprise exchange solutions
DEX
Fast and secure decentralized digital asset exchange
Labs
Incubator for top blockchain projects
Launchpad
Token Launch Platform
Research
Institutional-grade analysis and reports
Trust Wallet
Binance's official crypto wallet
Binance Gift Card
Customizable crypto gift card
Binance Live
Bringing blockchain broadcasts to you live
BABT
Verified user credentials for the Web3 era
DeFi Wallet
Meet the next-generation Web3 wallet
Buy Crypto
Pay with
Markets
Markets Overview
Overview of the crypto market with real-time prices and key data
Trading Data
View top market movers and price performance
Trade
Binance Convert
The easiest way to trade
Spot
Trade crypto with advanced tools
Margin
Increase your profits with leverage
Strategy Trading
Trading made easy, trade like a pro
P2P
Bank transfer and 100+ options
Swap Farming
Swap to earn BNB
Fan Token
Upgrade your fan experience
Binance OTC
OTC liquidity and execution services
Derivatives
USDⓈ-M Futures
Perpetual or Quarterly Contracts settled in USDT or BUSD
COIN-M Futures
Perpetual or Quarterly Contracts settled in Cryptocurrency
Options
Buy and Sell European-style Options.
Leveraged Tokens
Enjoy increased leverage without risk of liquidation
Leaderboard
Exclusive ranking for Binance traders, follow top traders' strategies
Binance Futures Overview
View our full range of crypto-derivative instruments
Futures Markets
View trends and opportunities in the Futures Markets before trading
Responsible Trading
Learn how you could practice responsible trading with Binance Futures
Blog
Expand your knowledge and get the latest insights in Derivatives Trading
VIP Portal
VIP Exclusive, Tailor-made Institutional Grade Services
Earn
Binance Earn
One-stop Investment Solution
Launchpad
Token Launch Platform
Simple Earn
Earn daily rewards on your idle tokens
DeFi Staking
Easy Access to DeFi Opportunities
BNB Vault
Earn Multi-benefits with BNB
Dual Investment
Commit your crypto holdings and enjoy high returns
Liquidity Farming
Add liquidity and earn double
Auto-Invest
new
Accumulate crypto on autopilot
Binance Pool
Mine more rewards by connecting to the pool
ETH 2.0
One click staking, rewards paid daily
Range Bound
new
Earn high rewards when the market moves sideways
Finance
Binance Card
Convert and pay with crypto worldwide
Binance Loans
Get an instant loan secured by crypto assets
Binance Pay
Send and spend crypto at zero fees
Binance Gift Card
Customizable crypto gift card
NFT
Institutional
Institutional Home
Premium digital asset solutions for institutions
Link
Connect and grow with Binance liquidity solutions
Asset Management Solutions
Discover various asset management solutions
VIP Portal
One-stop station made for VIP and institutions
Custody
Secure digital assets with leading infrastructure
VIP Loan
Bespoke institutional loan with wide coverage
APIs
Unlimited opportunities with one key
Historical Market Data
Your all-in-one trading data repository
Execution & OTC Services
Execution & OTC Services
Feed
USD
Flash news
copy link
create picture
more

CertiK Blames ZkSync’s MerlinDEX Hack on Private Key Management Issue

CryptoNews - Ogwu Osaemezu Emmanuel
2023-04-26 09:11
Full disclaimer: This platform includes third party opinions. We do not endorse their accuracy. Digital asset prices can be volatile. Do your own research. See full terms here.
CertiK has attributed the over $1.82 million loss suffered by zkSync-based decentralized exchange, MerlinDEX, to a private key management issue rather than an exploit by bad actors. CertiK conducted an audit on MerlinDEX’s smart contracts before the incident.
MerlinDEX, a zkSync-based platform is the latest decentralized finance protocol to lose the funds in its liquidity pool. The decentralized exchange (DEX) lost over $1.82 million during the early hours of April 26.
You might also like: Hacker is now the largest holder of Curve DAO’s CRV token
So far, there have been conflicting reports concerning the exact cause of the asset loss, with the blockchain security firm, CertiK, which recently audited the project’s code, claiming that its initial investigations have revealed that the attack was due to a private key management issue rather than an exploit.
We’re actively investigating the @TheMerlinDEX incident. Initial findings point to a potential private key management issue rather than an exploit as the root-cause.
While audits cannot prevent private key issues, we always highlight best practices to projects.
Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates.
— CertiK (@CertiK) April 26, 2023
However, eZKalibur, another zkSync-based decentralized exchange project, claims to have researched the MerlinDEX smart contracts and identified the loophole that enabled the heist.
📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for the draining of funds.
These two lines of code in the initialize function are essentially granting approval for the feeTo address to transfer an unlimited (type(uint256).max) amount of token0 and token1 from the contract's address.
In this case, the feeTo address could potentially call the transferFrom function on the respective tokens to transfer tokens from the contract's address to itself.
How could @CertiKAlert audit this?
— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
#PeckShieldAlert Our community contributor has reported that Merlin #DEX on #zksync was exploited. One of the exploiters 0x2744…9b7 has grabbed ~850K $USDC and bridged them to #Ethereum
— PeckShieldAlert (@PeckShieldAlert) April 26, 2023
While the DeFi ecosystem saw an increased TVL (total value locked) during the first quarter of the year, hacks and rug pulls continue to plague the industry with no permanent solution.
According to CertiK, bad actors drained more than $320 million from the crypto space during the first quarter of this year alone. With the current situation, that amount could surpass the over $3 billion stolen last year by the end of 2023.
Read more: MetaMask denies wallet exploit allegations in $10.5m crypto hack
View full text