- Funds were drained by someone who had control of the liquidity pool
- CertiK established a security score of 47.57
Merlin, a recently launched decentralized exchange based on zkSync, lost more than $1.1 million in an exploit during a public sale of its mage (MAGE) token this morning, CoinDesk wrote. The attackers drained USD Coin worth $850,000 as well as a certain amount of relatively illiquid tokens.
According to blockchain data, the funds were drained by someone who had control of the liquidity pool. It was an “easy” exploit, not a complex or sophisticated one.
“No critical findings”
Merlin had undergone an audit by leading blockchain security firm CertiK, the result of which was “No Critical Findings.” However, the website also states that no security findings were addressed. The protocol’s security score was established as 47.57. Below are the other parameters:
Fundamental Health: 44.93
Community Trust: 54.75
Market Stability: 50.72
Governance Strength: 48.07
Code Security: 80.77
Operational Resilience: 40.49
MAGE started trading at $45
The DEX launched its mage tokens to investors in a public sale in a three-day event. There was no hard cap. Developers wrote that the token MAGE would start trading at $45. The intended market value of $850,000 was stolen in its entirety.
Developers added that the end price of the token would be determined by the total amount raised.
According to CertiK’s site, there was also a bug bounty program with rewards up to $5,000.00 and reserved funds of $50,000.00. There is no indication that this program was launched. There is also no information about what measures the DEX will take next.