Merlin hack

The following article presents the Zolidly team's analysis of the Merlin hacking incident, which took place on April 26th, shortly after the event occurred.

Recently, TheMerlinDEX pools were drained, and it appears to be a definite rug pull. The hacker's address is 0xc0D6987d10430292A3ca994dd7A31E461eb28182, who is the creator of the MerlinSwapFactory contract, and thus one of TheMerlinDEX team members. (You can check the details at https://explorer.zksync.io/address/0xc0D6987d10430292A3ca994dd7A31E461eb28182…) The hacker drained all the money, including around $1M USDC, as shown in the picture below.

It is important to note that Merlin pools were intentionally designed to be a rug pull. The initialize() function at the MerlinSwapFactory contract automatically allowed all tokens in the created pairs to their FeeTo address (which was the hacker), enabling them to drain all of them at any time.

Despite being audited by CertiK, this vulnerability was not identified or flagged as an issue in their report.

Approximately $2M was drained, and the money was bridged to Ethereum using MultichainOrg. The funds are now located at 0x0b8a3ef6307049aa0ff215720ab1fc885007393d, which is an unknown contract in Ethereum.

We are truly sorry to hear about the losses suffered by the victims of this rug pull. As a response to this incident, we have decided to issue MORGANA token, create a pool in our DEX, and distribute a portion of our weekly emissions to the victims. We hope that this initiative will help alleviate some of the losses and rebuild trust in the blockchain community.