Smart contract auditor CertiK claims to have blocked $160,000 from Merlin, a zkSync-based decentralized exchange that has been at the center of a rogue insider “rugpull” that cost users $1.8 million last week.
CertiK shared news of the successful freezing of $160,000 in stolen funds in an update to its 257,700 Twitter followers on May 5. “With the help of our partners, we have successfully frozen $160,000 in stolen funds,” CertiK said, adding that they will continue to monitor the movement of the stolen funds.
The company explained that it attempted to "cooperate" with Merlin to recover the funds stolen from the April 25 "rug pull," but the efforts were to no avail.
This led the company to contact US and UK law enforcement in an attempt to unmask the pseudonymous operator: "This lack of cooperation complicates our efforts to verify and assist victims. We are focused on working with law enforcement and have submitted information to relevant age ncies in the US and UK."
“We are exploring all possibilities to fight export fraud with our $2 million pledge,” CertiK added.
According to previous posts, the security firm believes the "rogue developer" is based in Europe. As for the exit scam, CertiK said that "the owner's wallet privileges were abused by Merlin insiders," which is consistent with its original finding that it came From a private key issue rather than an exploit.
Merlin claims the rug pulling is performed by its backend team, which they claim has a "high level of trust". CertiK, on the other hand, places some of the blame on itself for failing to properly inform users of centralization risks.
The firm stated that they will place more emphasis on this in future audit summaries. “We are working to improve the clarity of the audit summaries in our reports – especially around centralization risk – and to better communicate with the community about the purpose of the audit .” However, CertiK emphasized that smart contract auditors should not be solely responsible for failing to identify carpet pulls:
"The purpose of code auditing is to discover vulnerabilities, not to detect potential rugpulls. It is important to recognize that many projects, large and small, have centralization issues, and that the vast majority of projects do not generate pull," the company said .
The company launched a $2 million compensation plan to recover funds lost on April 27 as a result of the "exit scam." The pledged funds will be used to prevent export fraud and help victims wherever possible, the company added.
