CertiK audit firm “guilty” of Merlin rug pulling



A few days ago, smart contract auditing firm CertiK played a crucial role in the $1.8 million rug pull affair by Merlin, a decentralised exchange developed on the zkSync network. 

After Merlin pulled the rug on its users, the blockchain cybersecurity firm managed to recover $160,000 with the help of several business partners.

Let’s take a look at the details of this interesting story.

CertiK and the DEX Merlin Rug Pull

On 24 April, zkSync-based DEX Merlin announced that its back-end team had fraudulently robbed its users of their assets by emptying the decentralised protocol’s liquidity pools of $1.8 million.

The insiders manipulated all front-end contracts via a hidden function that allowed a call to the exchange’s pools, and managed to access the project’s web host to condition the source code to steal all previously deposited funds.

The news was spread by part of the Merlin team, who were unaware of the power the back-end developers had over the smart contracts they had integrated into the protocol.

CertiK, an auditing firm that had audited all of Merlin’s contracts and found no flaws in the back-end systems, immediately sprang into action, pledging $2 million to identify the perpetrators of the rug pull and return the funds to the stolen users.

The latter was hampered by a lack of cooperation from some of the team’s core members, who were reluctant to divulge their personal details given the seriousness of the situation.

After involving several business partners and informing the police and relevant authorities in the United States and the United Kingdom, CertiK was able to recover some of the stolen smart contract cash, amounting to $160,000.

Currently, a portion of the stolen amount of 500 ETH (approximately $920,000) is being held at this address, while the remainder has been dispersed into several dozen wallets that are difficult to track and identify.

All that is known is that the back-end team has developed other projects in the past, such as Dynochain, Discoverilla and InterFinetwork, and that the individuals in the group are based in Serbia, a country where the regulatory authorities were promptly alerted by Merlin’s ‘good’ team.

Even if Merlin succeeds in recovering the funds embezzled from its users by demonstrating a transparent commitment, it is unlikely to regain the trust of the community, which has become disillusioned by the lack of due diligence in monitoring the individuals who had the technical ability to empty the DEX pools.

What is CertiK?

CertiK is an industry-leading blockchain cybersecurity company, focused on analysing smart contracts for bugs or potential flaws that could compromise the integrity of a protocol.

Founded in 2018 by Zhong Shao and Ronghui Gu, two professors from Columbia and Yale universities, CertiK uses formal controls and AI technology to monitor on-chain movements, conduct audits and protect web applications from attacks of all kinds.

The company is one of the most respected companies in the crypto world, having served more than 3,843 clients since its inception and evaluated infrastructures that currently manage around $384 billion. 

Since 2018, CertiK has managed to identify more than 60,000 vulnerabilities in the smart contracts and layer 1s it has analysed. 

Some of the most influential names of crypto projects that have used CertiK’s services include PancakeSwap, 1inch, ApeCoin, Tether, Fetch.ai, the BNB Chain, Polygon, Aave, Aptos, TrueUSD, Decentraland, The Sandbox, Shiba Inu and many more.

On the other hand, if we look at the investors who have bet on the bright future of the audit firm, we find prominent names such as Sequoia Capital, Goldman Sachs, Insight Partners, Coinbase, Binance, Tiger Global, Coatue and Soft Bank.

CertiK’s name is one of the best known among companies that secure protocols and infrastructure against vulnerabilities and potential cyber-attacks, although it has lost some of its lustre recently due to a few mishaps and inaccurate audits.

CertiK was less than diligent in its analysis of Merlin’s smart contracts: the crypto community is furious

In the case of Merlin’s rug pull, it turned out that CertiK had not done a thorough job of analysing the flaws in the code of the protocol, which is, incidentally, a fork of the Camaleot exchange, a native DEX on Arbitrum.

To find vulnerabilities in Merlin, it would have been sufficient to compare the two codes and see if there were any differences.

Instead, it appears that the auditor did a rough reading and missed a major vulnerability, which then led to the attack on Merlin’s liquidity pools.

According to CertiK themselves, the mistake was that they did not sufficiently highlight certain centralised privileges of the back-end team and did not distinguish this risk in their report.

The community was furious that the company took 10 days and earned $50,000 to analyse a piece of code without explicitly mentioning the potential vulnerability.

An anonymous user posted a tweet saying that ChatGPT also managed to find the two lines of code that enabled the rug pull.

So what is the point of relying on an auditing firm, spending a lot of money and waiting several days for a bad result when an AI chatbot can do it better?

Even Charles Paladin, core auditor of the Camaleot exchange’s smart contracts, said that CertiK most likely did not even look at Merlin’s smart contracts because it is very difficult to miss such a large and obvious vulnerability.

After this incident, CertiK lost a lot of credibility, even though it managed to recover $160,000 with the help of its partners such as CEX and on-chain monitoring companies, rather than through its own technical capabilities.

We hope that stories like this do not happen again, because they risk losing the trust of the entire DeFi sector, not just a single company that has lapsed in due diligence.