On April 25th, team members behind Merlin DEX took advantage of centralized privileges in the protocol to rugpull their users for $1.8 million. We’d like to take this opportunity to clarify a few points.
1. This was an internal rugpull, not an external exploit. Insiders with private key access on the Merlin team abused the owner
wallet’s privileges to scam their users. Initially, we approached this as the work of a single rogue developer and attempted to work with the rest of the team to mitigate the losses. Although two members of the Merlin DEX team participated in a KYC process, two other core members refused repeated attempts to verify their identity. Further requests for details that would allow us to carry out our part in the investigation were also ignored. At this point, we decided to focus our efforts on continuing our work with law enforcement, and we submitted reports of the incident along with all available information in our possession to the relevant law enforcement agencies in the US and UK. Finally, we want share that we have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
2. We’re overcoming a brand new set of obstacles. First of all, we want to share that we have successfully frozen $160k of the stolen assets with the help of partners. As we move forward, we are actively seeking ways to allocate the funds we have committed. The good intentions of setting up a victim aid fund for the Merlin community have been met with challenges. Working with advice from legal experts and law enforcement, we now understand that to best serve the community and facilitate investigations we need to continue to explore alternative ways to help the community as we try to resolve the challenges surrounding the victim aid fund. We understand that being the first to attempt such an initiative comes with its own set of obstacles, but we remain committed to exploring all possibilities in order to fight against exit scams and to support their victims. Our ultimate goal is to fight exit scams, help victims, and prevent similar incidents from occurring in the future. We will release more details when available.
3. We are continually improving our processes. Although the publicly-available Merlin DEX report identified the centralization issue, we recognize the importance of highlighting the potential risks of centralized privileges. We are working to improve the clarity of our audit summaries and to better communicate with the community about the function of an audit.
The vast majority of Web3 projects are run by legitimate founders who take security and the importance of KYC very seriously and are committed to building quality applications. When a team rugpulls their investors, as in the case of Merlin DEX, it reflects poorly on everyone. CertiK’s mission is to secure the Web3 world, and with this statement we reaffirm our commitment to raise the standard of security and transparency across the entire industry.