CertiK freezes $160k stolen in Merlin DEX insider rug pull
Blockchain security firm CertiK announced on May 4 that it has successfully blocked $160,000 in stolen funds from Merlin, a decentralized exchange based on zkSync recently hit by a rogue insider rug pull. The fraudulent activity resulted in losses of $1.8 million for users last week.
According to a Twitter thread posted on May 4, CertiK reiterated that insiders pulled the Merlin DEX rug. The blockchain security firm, however, stated that its efforts to collaborate with Merlin to recover the funds were unsuccessful because the project’s other team members were unwilling to verify their true identities.
The lack of cooperation has complicated the efforts to aid victims of the exploit. Still, CertiK is working with law enforcement in the United States and the United Kingdom to reveal the identities of the pseudonymous operators responsible for the rug pull.
CertiK believes the “rogue developers” behind the scam are based in Europe. According to the firm, the insiders at Merlin abused the owner’s wallet privileges, which is consistent with its initial finding that the issue was related to a private key problem rather than an exploit.
Merlin claims that the rug pull was carried out by its back-end team, whom they had put a “high degree of trust in.”
The zkSync-based decentralized exchange was compromised on April 25, a few days after its launch. CertiK noted at the time that the project had “centralization risks” in its audit of the firm.
Compensation plan worth $2 million announced for exit scam victims
The blockchain security firm admitted that it did not highlight this risk appropriately and that the centralized privileges should have been distinctly emphasized to make users aware of the risks.
To prevent similar incidents in the future, CertiK pledged to prioritize centralization risks in audit summaries to ensure that users have a complete picture of potential risks.
CertiK announced a compensation plan worth $2 million to cover the losses suffered by victims of the exit scam on April 27.
The security company has also pledged to use the funds to help prevent similar scams in the future and provide assistance to those affected.