CertiK Denies Responsibility for MerlinDEX Rug Pull

CertiK audited a project which later rugged user funds for $2 million. The firm denies responsibility for the incident.

A man carrying a rug over a bridge towards a green moon.
Created by Gabor Kovacs from DailyCoin
  • CertiK audited MerlinDEX, which later suffered a $2 million exit scam. 
  • The firm denied responsibility but claims it is working on an aid fund for victims. 
  • The incident generated outrage, with some users questioning CertiK’s credibility.   

Crypto projects are rife with scams and hacks. To protect themselves, investors are looking to smart contract auditing firms to vet the contracts and ensure their safety. 

Unfortunately, as MerlinDEX token holders found out, smart contract audits do not guarantee their funds are safe. 

CertiK, a blockchain security firm, is facing backlash after a project it audited suffered an exploit, resulting in almost $2 million in losses. 


The auditing firm denied responsibility for the lost funds in MerlinDEX. However, following an immense backlash, CertiK said it is investigating the case and exploring a plan to compensate the victims

CertiK Claims MerlinDEX Vulnerability Was ‘Outside the Scope of an Audit

On Wednesday, April 26, decentralized exchange MerlinDEX revealed that the project suffered an exit scam. According to the team, rogue developers from Serbia stole $1.82 million from the project’s wallets.

The funds belonged to investors who bought the project MAGE token during its public sale. The scam generated an immense backlash against both MerlinDEX and CertiK.


“CertiK is actively investigating the recent MerlinDEX exit scam,” the firm writes in a press release sent to DailyCoin. However, the firm still denies responsibility for the scam. 

“Private key privileges are outside the scope of a smart contract audit,” CertiK wrote. They also added that smart contract audits could not prevent rug pulls. 

CertiK invited users to look for projects with a KYC Badge to mitigate the risk of a rug pull. This certification indicates that developers have disclosed their information to the auditing firm. 

Furthermore, in a Twitter post following the scam, CertiK highlighted that its report did point to centralization risks in the MerlinDEX smart contract. 

CertiK’s audit does mention that the centralization of smart contract privileges could make the project more vulnerable to a hack. 

The audit also suggests a mechanism to mitigate the risk of potential hacks due to centralization risks. However, the audit did not highlight the risk of developers taking the money. 

CertiK’s Response: Victim Aid Fund, Bounty For Developers

CertiK’s response did not leave many users satisfied. Multiple social media users were dissatisfied with its practices and questioned its credibility

Users also pointed out that some investors expect auditing firms to look at rug pull risks, which are rampant in crypto. 

“CertiK, to be clear we also want you to call out issues as severe when the team can rug us, not just exploits,” one user wrote. 

Following the backlash, the auditing firm said it is committed to covering the losses of MerlinDEX investors. 

“Working closely with the remaining Merlin team, CertiK will initiate a victim aid fund to cover the lost funds for affected users,” the firm wrote. 

At the same time, CertiK urged the rogue developers to return 80% of the funds and accept a “20% white hat bounty” for taking the funds. This would mean that developers could walk away with $364,000 without the risk of prosecution. 

DailyCoin contacted CertiK with follow-up questions, but the firm did not respond at the time of publication. DailyCoin will provide an update with more details about the case and their responses if they answer. 

On the Flipside 

  • “White hack” bounties usually go to hackers that successfully found an exploit in the project’s code. They are not typically a way to entice developers to return rug pull money.   
  • CertiK did not specify whether user compensation depends on developers accepting the “White Hat” deal. 

Why You Should Care

The MerlinDEX case should change how every altcoin investor approaches smart contract audits. Investors should always read the smart contract audit in full because a passing mark itself is not a good indicator of risk. Instead, investors should look for “centralization risks” in the smart contract if they want to avoid the chances of a rug pull.  

Read more about rug pull scams and how to prevent them: 

How to Spot a Crypto Rug Pull Scam

Read more about the intersection between AI and blockchain tech:

MOSDEX Deploys AI and Deep Neural Networks for Crypto

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

David Marsanic

David Marsanic is a journalist for DailyCoin who covers the intersection of crypto, traditional finance, and government. He focuses on institutionalized crypto entities like major cryptocurrency exchanges and Solana, breaking down complex topics into easy-to-understand writing. David's prior experience as a business journalist at various crypto and traditional news sites has enabled him to maintain a critical approach to news while adhering to high journalistic integrity standards.