DEX Merlin and CertiK Plan to Compensate $2M to Users Impacted in Rugpull

zkSync-based decentralized exchange Merlin plans to compensate users impacted in a nearly $2 million rugpull with blockchain audit firm CertiK, a representative for CertiK told CoinDesk in an email on Thursday.

A rug pull is a type of exit scam in which the perpetrators create a new token, launch a liquidity pool for it and pair it with a base token, like ether (ETH) or a stablecoin like dai (DAI). A liquidity pool is a large pool of tokens that a protocol uses to fulfill trades, as opposed to an order book system where buyers and sellers list their trade orders and wait to be filled.

“CertiK is actively investigating the recent Merlin DEX exit scam, where rogue developers are suspected of causing the loss of around $2 million in user funds,” the representative said. “Working closely with the remaining Merlin team, CertiK will initiate a compensation plan to cover the lost funds for affected users.”

“Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful,” they added.

The rogue developer is urged to return 80% of the stolen funds and accept a 20% white hat bounty, CertiK said. On its part, CertiK emphasized that although private key privileges are outside the scope of a smart contract audit, they are committed to assisting impacted users in this case.

Merlin was seemingly exploited for over $1.8 million on Wednesday morning during a public sale of its mage (MAGE) tokens. The attack occurred despite Merlin touting an audit conducted by blockchain security firm CertiK.

Further analysis by firms and analysts alleged the attack was conducted by a rogue developer who held private keys to Merlin’s smart contracts – allowing them to withdraw all liquidity from the protocol.

Edited by Parikshit Mishra.