The crypto security firm that audited the Merlin decentralized exchange's code announced plans to compensate victims after the team behind the project absconded with nearly $2 million days after the audit was completed.
CertiK, a well-known security and smart-contract audit firm, "is exploring a community compensation plan" after members of the Merlin team swiped the funds from the project's smart contract this week, CertiK said in a tweet. More details about the plan will be released in future, it added.
Initially believed to be a hack, security analysts, including CertiK, eventually concluded that it was a rug pull — an exit scam frequently encountered in the DeFi space where one or more members of a crypto project seize control and steal funds locked within the protocol. The incident occurred just a few days after CertiK conducted a code audit for Merlin, causing commentators on Crypto Twitter to blame the security auditor for the incident.
"As CertiK works tirelessly to resolve the situation, the company will continue to provide updates and ensure transparency throughout the process," CertiK told The Block. "We are committed to protecting the community and maintaining the highest level of security standards in the blockchain ecosystem."
CertiK, which raised $88 million in funding at a $2 billion valuation last year, audits smart contracts of DeFi projects. Due to the immutable nature of blockchain technology, projects often pay audit firms like CertiK to demonstrate their commitment to security measures before deploying a smart contract. The developers of Merlin, a decentralized exchange that operated on the zkSync Layer 2 blockchain, also contacted CertiK for an audit of their smart contract.
CertiK said it planned to cooperate with law enforcement to track down the rogue developers responsible for the scam and has offered a 20% bounty (worth about $400,000) for the return of the stolen funds.
"Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful," CertiK elaborated.
Merlin allowed crypto users to provide liquidity by allocating their tokens to its smart contract in exchange for rewards. However, the developers who forked the smart contract from another decentralized exchange called Camelot, granted themselves admin privileges. This enabled them to seize user funds at any time with the help of the admin key.
CertiK's audit of Merlin did warn of risks, including the developers' privileged access to funds deposited in the smart contract. Yet users who trusted the project still deposited funds into its liquidity pools.
CertiK acknowledged the difficulty in detecting malicious developer intentions, stating, "While audits can identify potential risks and vulnerabilities, they cannot prevent malicious activities on the part of rogue developers such as rug pulls."
The firm told The Block it was the first time it had decided to pay compensation after one of their clients cheated its investors.
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
