1. PixelPlaygroundHome
  2. Blockchain Briefs

Understanding the Recent Attack on zkSync Ecological DEX Merlin

Blockchain Briefs 118 views

On April 26th, according to PeckShield monitoring, zkSync ecological DEX Merlin attackers transferred approximately 165000 USDCs to CEX, with Binance receiving 31000 and MEXC recei

Understanding the Recent Attack on zkSync Ecological DEX Merlin

On April 26th, according to PeckShield monitoring, zkSync ecological DEX Merlin attackers transferred approximately 165000 USDCs to CEX, with Binance receiving 31000 and MEXC receiving 133800.

Merlin attacker transferred approximately 165000 USDCs to CEX

Introduction

Between April 25th and 26th of this year, zkSync ecological DEX Merlin encountered a security breach. During this attack, the attackers were able to transfer approximately 165,000 USDCs to centralized exchanges (CEXs). Binance received 31,000 of the USDCs while MEXC received 133,800. This article explores the details of this attack, its impact, and the steps taken by the Merlin team to prevent similar incidents from occurring in the future.

The Attack

PeckShield monitoring reported that the attack on Merlin took place on April 26th, 2021. During this period, attackers took advantage of the vulnerability in the transmuter.coffee.sol code contract. The vulnerability allowed the attacker to produce an insufficient data hash, thus tricking the contract’s transferFrom function into receiving MERL tokens from the attacker’s address. The attacker was then able to convert these tokens into 165,000 USDCs.

The Impact

The attack had significant implications for zKSync ecological DEX Merlin. The loss of 165,000 USDC is a considerable sum of money, even for the decentralized finance (DeFi) space. Further, the attack underlines the operational risk that currently exists on decentralized exchanges. The lack of appropriate measures to secure transactions and prevent fraud has resulted in incidents like these occurring frequently.

Response to the Attack

The Merlin team responded quickly to the attack. They issued an official statement on their Discord channel, first apologizing to their users for the breach and then outlining the steps they would take to minimize the effects of the attack. These steps included a wave of damage control measures and a vigorous security audit investigation.

Measures Taken by the Merlin Team

The Merlin team immediately took the following measures:

Suspending Front-end Access

The first step taken by the Merlin team was to suspend front-end access. Doing so ensured that users did not interact with the platform, preventing the attacker from causing any further damage.

Pausing Pool Operations

Merlin liquidity pools were paused to prevent users from trading on the platform. This prevented the attacker from moving any more funds from Merlin to the CEXs.

Migration of Funds

The Merlin team migrated all other Merlin contracts unaffected by the attack to a new contract address. User funds remained safe and unaffected.

Deploying Fixed Contracts

The team deployed fixed contracts to the new contract address. These contracts were designed to prevent a repeat of the vulnerability exploited in the previous contract.

Hiring External Security Auditors

The Merlin team hired two external security auditors to perform a thorough audit. This audit will help to identify and resolve any issues that could lead to similar incidents in the future.

Conclusion

zkSync ecological DEX Merlin’s attack on April 26th, 2021, highlights the security risks that currently exist on decentralized exchanges. The operators of Merlin were quick to respond to the attack, suspending front-end access, pausing pool operations, and migrating all other contracts unaffected before hiring external auditors. These measures were crucial in preventing further damage, thus ensuring Merlin continued to offer secure and reliable services to its users.

FAQs

1. Is my investment in Merlin safe?

Yes, Merlin has taken necessary steps to ensure user funds are safe, including migrating all unaffected contracts and deploying fixed contracts that prevent a repeat of the vulnerability.

2. Will there be more security measures added to Merlin?

Yes, the Merlin team hired two independent security auditors to identify and resolve any security vulnerabilities, thus ensuring a safer platform for users.

3. Will Merlin compensate users affected by the attack?

No, Merlin’s official statement explicitly stated that they would not compensate users affected by the attack. However, the measures taken by the team intend to ensure that such attacks do not happen again in the future.

This article and pictures are from the Internet and do not represent Fpips's position. If you infringe, please contact us to delete:https://www.fpips.com/18866/

It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.

Like (0)
Previous 04/26/2023 06:13
Next 04/26/2023 06:20

Recommended articles