According to smart contract auditor CertiK, $160,000 has been blocked from Merlin, a decentralized exchange (DEX) based on zk-Sync, which was the center of a “rugpull” incident caused by a rogue insider last week. On May 5, CertiK shared the news of the successful $160,000 freeze of stolen funds with its 257,700 Twitter followers. CertiK stated that they tried collaborating with Merlin to recover the stolen funds lost due to the “rugpull” that happened on April 25, but were unable to seek cooperation. Consequently, they have contacted law enforcement from the United States and the United Kingdom to determine the identities of the pseudonymous operators involved in the crime. CertiK believes the “rogue developers” are based in Europe. Merlin claimed that the rug pull was conducted by its backend team, whom they trusted, and stated that they would offer support to their community despite the incident. CertiK, however, acknowledged part of the responsibility for failing to properly inform users of the centralization risks. The company pledged $2 million to reduce exit scams and support victims of these scams. They emphasized that smart contract auditors should not be held entirely responsible for failing to identify rug pulls.
In addition, CertiK is working to improve the clarity of its audit summaries in reports and to communicate with the community about the goal of audits. They also announced that going forward, centralization risks will be the main priority of audit summaries so that users have a comprehensive understanding of potential risks.
Related: April’s crypto scams, exploits and hacks lead to $103M lost — CertiK
Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them
“Code Audits serve the purpose of uncovering vulnerabilities, not to detect a potential rugpull. Its important to recognize that many projects both large and small have centralization issues flagged, and the vast majority do not result in a rugpull,” the CertiK firm said.