Understanding the Recent Attack on zkSync Ecological DEX Merlin
On April 26th, according to PeckShield monitoring, zkSync ecological DEX Merlin attackers transferred approximately 165000 USDCs to CEX, with Binance receiving 31000 and MEXC recei
On April 26th, according to PeckShield monitoring, zkSync ecological DEX Merlin attackers transferred approximately 165000 USDCs to CEX, with Binance receiving 31000 and MEXC receiving 133800.
Merlin attacker transferred approximately 165000 USDCs to CEX
Introduction
Between April 25th and 26th of this year, zkSync ecological DEX Merlin encountered a security breach. During this attack, the attackers were able to transfer approximately 165,000 USDCs to centralized exchanges (CEXs). Binance received 31,000 of the USDCs while MEXC received 133,800. This article explores the details of this attack, its impact, and the steps taken by the Merlin team to prevent similar incidents from occurring in the future.
The Attack
PeckShield monitoring reported that the attack on Merlin took place on April 26th, 2021. During this period, attackers took advantage of the vulnerability in the transmuter.coffee.sol code contract. The vulnerability allowed the attacker to produce an insufficient data hash, thus tricking the contract’s transferFrom function into receiving MERL tokens from the attacker’s address. The attacker was then able to convert these tokens into 165,000 USDCs.
The Impact
The attack had significant implications for zKSync ecological DEX Merlin. The loss of 165,000 USDC is a considerable sum of money, even for the decentralized finance (DeFi) space. Further, the attack underlines the operational risk that currently exists on decentralized exchanges. The lack of appropriate measures to secure transactions and prevent fraud has resulted in incidents like these occurring frequently.
Response to the Attack
The Merlin team responded quickly to the attack. They issued an official statement on their Discord channel, first apologizing to their users for the breach and then outlining the steps they would take to minimize the effects of the attack. These steps included a wave of damage control measures and a vigorous security audit investigation.
Measures Taken by the Merlin Team
The Merlin team immediately took the following measures:
Suspending Front-end Access
The first step taken by the Merlin team was to suspend front-end access. Doing so ensured that users did not interact with the platform, preventing the attacker from causing any further damage.
Pausing Pool Operations
Merlin liquidity pools were paused to prevent users from trading on the platform. This prevented the attacker from moving any more funds from Merlin to the CEXs.
Migration of Funds
The Merlin team migrated all other Merlin contracts unaffected by the attack to a new contract address. User funds remained safe and unaffected.
Deploying Fixed Contracts
The team deployed fixed contracts to the new contract address. These contracts were designed to prevent a repeat of the vulnerability exploited in the previous contract.
Hiring External Security Auditors
The Merlin team hired two external security auditors to perform a thorough audit. This audit will help to identify and resolve any issues that could lead to similar incidents in the future.
Conclusion
zkSync ecological DEX Merlin’s attack on April 26th, 2021, highlights the security risks that currently exist on decentralized exchanges. The operators of Merlin were quick to respond to the attack, suspending front-end access, pausing pool operations, and migrating all other contracts unaffected before hiring external auditors. These measures were crucial in preventing further damage, thus ensuring Merlin continued to offer secure and reliable services to its users.
FAQs
1. Is my investment in Merlin safe?
Yes, Merlin has taken necessary steps to ensure user funds are safe, including migrating all unaffected contracts and deploying fixed contracts that prevent a repeat of the vulnerability.
2. Will there be more security measures added to Merlin?
Yes, the Merlin team hired two independent security auditors to identify and resolve any security vulnerabilities, thus ensuring a safer platform for users.
3. Will Merlin compensate users affected by the attack?
No, Merlin’s official statement explicitly stated that they would not compensate users affected by the attack. However, the measures taken by the team intend to ensure that such attacks do not happen again in the future.
This article and pictures are from the Internet and do not represent Fpips's position. If you infringe, please contact us to delete:https://www.fpips.com/18866/
It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.
Recommended articles
-
ApeCoin Community Initiates Proposal AIP-222 to Launch Web3 Streaming Platform
According to reports, the ApeCoin community has launched proposal AIP-222 today, aiming to launch a streaming platform similar to YouTube or Twitter that supports token gating. It
-
On March 23, the Independent Reserve of the Australian Cryptographic Exchange Established its Presence in Hong Kong, China
On March 23, it was announced that the Independent Reserve of the Australian Cryptographic Exchange plans to pay closer attention to the opportunities in Hong Kong, China, as Hong
-
Uniswap Foundation Announces Deployment of 4378188 ARBs in the Coming Weeks
According to reports, the Uniswap Foundation has stated that it will send the 4378188 ARBs allocated by Arbitrum to the multi-signature address (starting with 90xF4E08) owned by th
-
BTC Falls Below $30,000: Understanding the Market Volatility
According to reports, the market shows that BTC has fallen below $30000 and is currently trading at $29999.0, with a daily decline of 0.99%. The market is highly volatile, so pleas
-
What Does Ripple Chain Mean (Latest News from Ripple Labs)
What does Ripple Chain mean? Ripple Chain is a blockchain project developed by R
-
First Republic Bank: Analyzing the Recent Market Drop
On April 26th, according to the US stock market, the market value of First Republic Bank has fallen below $1 billion, and its stock price has fallen below $5. It is now down nearly
-
Possible Stricter Regulations for Medium-Sized Banks
According to reports, sources have revealed that after the Silicon Valley Bank (SVB) incident, the Federal Reserve is considering a series of stricter capital and liquidity requirements, as well as measures to strengthen annual stress testing. These regulations may focus on medium-sized banks with assets between $100 billion and $250 billion, which currently evade some of the most stringent requirements. Source: The Federal Reserve is strengthening its annual stress testing measures Analysis based on this information:According to recent reports, the Federal Reserve is considering implementing a series of stricter regulations for medium-sized banks with assets between $100 billion and $250 billion. This has come after the Silicon Valley Bank (SVB) cyber-attack in 2020, which exposed vulnerabilities in the banking sector’s security. The proposed regulations may focus on capital and liquidity requirements, as well as measures to strengthen annual stress testing. Capital requirements ensure that banks have enough funds to cover potential losses, while liquidity requirements ensure they have enough cash…
-
The number of Bitcoin Lightning network nodes is 16481
According to reports, 1ML data shows that there are currently 16481 Bitcoin Lightning network nodes, an increase of 0.45% in the past 30 days; The number of channels is 74415, a de
-
What is the Platinum Chain Currency (Platinum Chain Official Website)
What is the Platinum Chain currency? It is similar to blockchain projects such
-
The Dark Side of Ethereum: ETH Pledgor’s IP Address is Being Tracked, But Why?
On April 14th, Justin Drake, a researcher at the Ethereum Foundation, revealed that the ETH pledgor\’s IP address was monitored as part of the metadata set, leading the encryption c
-
When will the Fil reward coins be given (what is the maximum value of Fil coins)?
When will the Fil reward coins be given? According to the Fil reward coin annou
-
Binance Founder CZ: CeFi’s Exchange Can Be Transparent
According to reports, at today\’s Web3 Hong Kong Carnival Summit, Binance founder CZ stated that CeFi\’s exchange can also be very transparent, with good reserve proof and verificati
-
360 Intelligent Brain: A Revolutionary AI Product for Enterprises
According to reports, 3600 officially announced that the artificial intelligence product matrix \”360 Intelligent Brain\” developed based on the 360GPT big model will be the first to
-
Smart Money Address Profits from MAGIC trade
It is reported that according to The Data Nerd, a smart money address bought more than 244000 MAGIC at a price of $1.6 today. The address obtained twice the pr…
-
When did the ICO project start (what does ICO project mean)
When did the ICO project start? When did the ICO project start? ICO issues securities based tokens by raising funds in the market. This project is called Token Offering, which is simply a metaphor for the issuance method and fundraising amount of ICO projects, and can be understood as a fundraising process. ICO is a common model in the blockchain industry, which generally has a significant impact on the entire industry’s business. Because most companies are now trying to apply blockchain technology to their businesses and achieve profitability. So we see that many companies’ entrepreneurship is currently carried out in the form of ICO, and most companies have already established their own products or teams in this field to establish some projects Of course, there is another case that traditional financial institutions have adopted many forms of ICO in order to achieve faster development. For example, JPMorgan Chase has launched its own Cryptocurrency exchange Coinbase as an ICO platform; New…
-
#Table of Contents
On April 7th, OKX released a survey today on the market impact of the Shapella upgrade, which is scheduled to take place on April 12th and will allow for the withdrawal of pledged