CertiK, a blockchain security firm, has responded to a “rug pull” scam that caused $160,000 to be stolen from Merlin, a zkSync-based decentralized exchange. CertiK claims that the scam was perpetrated by insiders at Merlin who exploited their wallet privileges. Despite making efforts to work with Merlin to retrieve the stolen funds, CertiK was unable to do so.
Steps Taken by Cetrik
Law enforcement agencies in the UK along with the US have been contacted by CertiK in an effort to track down those pseudonymous operators. With expertise in auditing smart contracts, CertiK has effectively prevented Merlin, a decentralized exchange operating on zkSync, from accessing $160,000 from the rugpull. However, this “rugpull” incident caused by a deceitful insider, has led to users losing around a sum of 1.8 million US dollars.
On May 5, CertiK announced its successful freeze of those stolen funds to its 257,700 Twitter followers. The company attempted to work with Merlin to recover the funds stolen during the April 25 “rugpull,” but the attempt was unsuccessful. According to an earlier post, the security firm believes that the “rogue developers” are located somewhere in Europe.
Accusations for the Rugpull
CertiK has addressed the exit scam and reiterated their initial finding that it was caused by a private key issue rather than an exploit. They confirmed that Merlin insiders had misused their wallet privileges, which supports their original conclusion.
Merlin has accused their back-end team of executing the rug pull. CertiK, however, has acknowledged their own responsibility in not sufficiently warning users about the dangers of centralization.
Cetrik stressed on the fact that the failure to detect rug pulls cannot be solely attributed to smart contract auditors. The main objective of Code Audits is to expose vulnerabilities rather than detect a potential rugpull. It is important to note that many projects, regardless of their size, have been flagged for centralization issues, but most of them do not result in a rugpull.
To compensate for the losses suffered due to the “exit scam” on April 27, the company has introduced a compensation plan worth $2 million. Furthermore, the company has committed to using the allocated funds to prevent exit scams and assist the victims, if possible.