The Ethereum L2 expansion solution zkSync based on Zero-knowledge Proof technology (ZK Rollup), after launching the Mainnet zkSync Era on March 24, disasters frequently spread. The DEX protocol Merlin in the ecosystem just completed the audit earlier this week. In the public offering, it was hacked to 1.8 million US dollars , which aroused discussions in the encryption community.
Extended reading: zkSync Era package "921 ETH card contract cannot be claimed! The team admits: some functions are not equivalent to EVM
The community questioned that Merlin was hacked as a Rug Pull
As the case spread, according to the community user @zkaliburDEX's analysis of Merlin's contract, he said that the hack was probably an internal behavior of the project:
There are two lines of code in the initialize function that allow the maximum value of uint256 to be assigned to the feeTo address (deployer). In this case, the feeoTo address may call the corresponding token transferFrom function to transfer the token from the contract address to its own address . Therefore, this is likely to be an internal behavior of the project party.
Another community user @delucinator also said that Merlin is 100% Rug Pull (literal translation: Rug Pull). Additionally, he questioned Certik, the security team responsible for auditing Merlin:
Certik audited the protocol, and unlike the swapped front end, Certik saw that the contract allowed unlimited allocation to some random address, but passed it anyway.
In this regard, Thanh Nguyen, founder of the blockchain security company Verichains, agrees with the views of the above-mentioned community members. He pointed out that "Merlin is an obvious case of intentional backdoor insertion."
There is a "backdoor" code (L87-88) in the Merlin code that allows MerlinFactory's feeTo to transfer all assets in the transaction pair in the exchange function except the fee. This backdoor is an obvious security risk since no usage scenario requires its approval.
CertiK must admit that it did not notice the backdoor's code during its audit.
CertiK denies audit lapses
In response to the above-mentioned doubts, CertiK issued a response stating that it is currently investigating the Merlin incident, and the preliminary findings point to a potential private key management problem, rather than a contract loophole that caused the protocol to be hacked, and said that auditing cannot prevent private key problems.
However, what is ironic is that on the same day (26th), Geek Park published an exclusive interview with Gu Ronghui, the founder of Certik and a professor of computer science at Columbia University. Blockchain security has become a racing track, attracting a lot of attention, eating up 70% of the security market, and reducing the cost of Web3 security audits by more than 90%.”
