DEX on zkSync Era Hacked for $1.82M Right After Code Audit

Some evidence points to private key mismanagement as the cause for the incident.

A man wearing a gas mask and a hat inside of hacked code.
Created by Kornelija Poderskytė from DailyCoin
  • Merlin, a new DEX on zkSync Era, lost $1.82 due to a bug in its smart contracts or private key mismanagement.
  • Just two days ago, Merlin passed CertiK’s code audit.
  • Some evidence points to an inside job by Merlin’s anonymous developers.

2023 has been one of the worst years for decentralized exchanges in terms of hacking incidents. Multiple DeFi projects on various blockchains have been exploited for millions of dollars.

And the trend is continuing. On Wednesday, a decentralized exchange on zkSync Era got hacked for $1.82 million.

DEX on zkSync Hacked for $1.82 Million

Merlin, a new decentralized exchange on Ethereum Layer-2 zkSync Era, experienced a costly exploit on Wednesday. The exchange was hacked for $1.82 million.


The hack is especially interesting because of suspicious timing. Merlin received a code audit on Monday from CertiK, one of the most reputable smart contract auditors.

In the audit, CertiK said it found no potential bugs that may lead to exploits. However, the firm did mention in the audit that there are certain centralization risks related to how Merlin is managing its private keys.

Reacting to the incident, CertiK said that the exploit is most likely related to a potential “private key management issue” rather than an “exploit as the root-cause.”

“While audits cannot prevent private key issues, we always highlight best practices to projects. Should any foul play be discovered, we will work with the appropriate authorities and share relevant info. Stay tuned for updates.”

Merlin itself has only acknowledged the incident and asked to “revoke connected site access on your wallets/sign permission” but hasn’t yet offered any more details.

And it’s possible that it won’t. Some users are pointing out that the Merlin hack was likely carried out by Merlin insiders due to a bug left out intentionally in the smart contracts.

On top of that, Merlin had just begun publicly selling its token, MAGE. Some users have also pointed out that the developers behind Merlin are anonymous.

On the Flipside

  • It’s possible that the hack happened because of honest mismanagement of private keys. However, this is still to be seen as no new information is currently available.

Why You Should Care

Users who want to use decentralized exchanges, especially those just launched, should be extra careful. 

Read more about a recent KuCoin Twitter hack:

How to Stay Safe After the KuCoin Twitter Hack

Read more about Visa’s plans with crypto:

Visa Is Hiring Software Engineers for ‘Ambitious’ Crypto Product Roadmap

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Arturas Skur

Arturas Skur is a cryptocurrency news reporter at DailyCoin who covers Web 3.0 domains, DeFi, and Ethereum Layer-2s. With over five years of experience in journalism and public relations, Arturas brings his critical thinking and analytical abilities to deliver insightful news stories. In his free time, he enjoys hiking, playing with his dog, and reading.