The attack on Merlin occurred on Wednesday morning during the public sale of MAGE tokens. The exploit occurred against the background of Merlin’s statements about the results of a blockchain security audit conducted by CertiK.
Rugpull is a type of fraud in which criminals create a new token with a parallel launch of a liquidity pool and associate it with a base token or a stablecoin. At the same time, the protocol uses a pool of tokens to make transactions, unlike the order book system, which displays a list of pending trading operations.
CertiK representatives announced an investigation into the recent Merlin DEX scam, as a result of which fraudsters stole $ 2 million. The investigation is being conducted in close cooperation with the Merlin team and a compensation plan to cover stolen funds for affected users will be announced soon.
Early results of the situation analysis demonstrate that the scammers are based in Europe. It is also known that CertiK will cooperate with law enforcement agencies in order to track down intruders if direct negotiations fail. Scammers are advised to return 80% of the stolen funds and accept 20% of the reward in the form of a hat bounty.
The attack occurred despite the fact that Merlin advertised an audit conducted by CertiK, a blockchain security firm.