In April 2023, the Merlin DEX was the victim of a hack. The attacker stole an estimated $1.8 million from the protocol by draining its liquidity pools.
Inside the Attack
At the time of the attack, Merlin was a relatively new DEX running on zksync L2. The protocol was undergoing a “Liquidity Generation Event” scheduled for three days as part of the launch of its MAGE token.
The April attack may have been a rug pull that netted the attacker $1.8 million. During the attack, the attacker drained the liquidity being deposited into its pools as users were adding assets.
The underlying issue was excessive permissions granted to the Feeto address used during deployment. This address had full access and permissions, enabling it to drain the pool of assets.
During Merlin’s second audit, the potential risk of overly-centralized control was raised with recommendations to implement decentralization best practices such as multi-signature wallets and on-chain governance. However, while this issue was marked as resolved in the audit, the centralization remained and enabled this potential rug pull.
Lessons Learned From the Attack
Overly-centralized control over a DeFi protocol creates significant risks for itself and its users. Whether the Merlin DEX hack was a rug pull or a private key compromise, it was made possible by granting too much power to a single account.
Governance risks are an issue that should be identified and resolved as part of a smart contract security audit. To learn more about protecting your protocol from similar attacks, contact us.