Certik, one of the largest smart contract accounting firms, said it is working on a plan to reward users affected by the Merlin scam, a decentralized cryptocurrency exchange controlled by them.
Initially, on the morning of this Wednesday (26), the company even claimed that the incident was caused by a “Problem with private key management”., notice that “the ‘Merlin’ audit report highlights the risk of centralization in the ‘Decentralization Efforts’ section”.
However, Certik issued a new statement hours later, as third parties pointed out that it was a flaw in the smart contract. That is, the audit should have noticed the error.
“We did some research on Merlin smart contracts and identified the malicious code responsible for draining funds”wrote eZKalibur’s profile. “How can CertiK check this?”
📢 We did some research on Merlin smart contracts and we identified the malicious code responsible for draining funds.
These two lines of code in the initializer essentially authorize the feeTo address to create an unlimited (type(uint256).max)… pic.twitter.com/mIksh4HkhB
— eZKalibur ∎ (@zkaliburDEX) April 26, 2023
Certik plans to reimburse those affected, offers bounties to hackers
When Certik became aware of the above tweet, it had no choice but to acknowledge the error in its audit. As a solution, the company says it is exploring a plan to reward victims. The lost amounts correspond to R$ 10 million.
“CertiK is exploring a compensation plan to cover approximately $2 million in lost user funds on Merlin”wrote the company. “Initial investigations indicate that the rogue developers are based in Europe and we are working with authorities to track them down.”
Then Certik offers a 20% bounty, approximately R$2 million (US$400,000) to developers. That is, they could only return US$1.6 million (R$8 million) in cryptocurrencies and not be legally charged.
“We ask rogue developers to accept a 20% white hat premium”concluded Certik. “While we addressed the private key permissions issues in the audit report, we want to help affected users.”
“We are determined to track down those behind this carpet pull. More compensation details will be released.
1/ CertiK is exploring a community compensation plan to cover the ~$2 million in user funds lost in the pulling of the Merlin DEX carpet. Initial investigations indicate that the rogue developers are based in Europe and we are working with law enforcement to track them down.
⬇️⬇️⬇️
— CertiK (@CertiK) April 26, 2023
The company’s decision divided opinion
Certik’s comments divided opinion among his followers. On the one hand, some congratulated the company for its stance on the incident, while others felt uncomfortable with the situation.
White hat bounty? They created the contracts primarily to steal liquidity”commented an outraged user on Twitter. “What stuff do you smoke? Use that reward amount to hire someone who can read contracts.
In the end, the case appears to be a lesson for both parties. While audit firms should pay more attention to their work, users should not blindly rely on attestations, but there is no denying that they are a minimum requirement for DeFi projects.
In addition, plans to reimburse those affected show the maturity of the industry, tired of so many millionaire scams.
Source: Live Coins
Barry Siefert is an accomplished journalist and author at The Nation View. He is known for his expertise in the field of cryptocurrency, and has written extensively on the topic. With a background in finance and economics, Barry has a deep understanding of the underlying technology and market forces that drive the crypto industry.
