Merlin, The DEX, Mysteriously Hacked

GM Readers!📪 It's BitDegree Insider, and here's what we've got today.

⭐️Today's selection:

• 💾DEX Merlin Hack
• 👻Popular Myth
• 🧋Wednesday Bubbles
• 👌Selected Meme of The Day
• 📰Bite-Sized News

DEX MERLIN HACK

In a stunning turn of events, the decentralized exchange Merlin fell victim to a large-scale hack, despite having undergone a recent security audit.

Preliminary data suggests that hackers managed to steal over $1.82 million in assets and deplete the platform's liquidity pools.

Merlin, a decentralized exchange operating on the zkSync network, had recently announced plans to launch its main farming pools and public sales only after receiving a complete audit from Certik, a well-known blockchain security firm.

The company's leadership aimed to "provide investors with a full guarantee of safety" before proceeding. However, the hack occurred shortly after Certik completed the audit.

Certik addressed the situation on Twitter, stating:

"Initial results point to a potential issue with private key management, rather than an exploit, as the primary cause. Audits cannot prevent private key issues, but we always highlight best practices for projects."

Ironically, just a few hours prior to the hack, Certik's founder, Gu Ronghui, boasted about the company's success in an interview with Chinese media.

He claimed that Certik had "single-handedly transformed blockchain security into a track that has attracted a lot of attention" and now controlled 70% of the cryptocurrency security market.

Furthermore, he emphasized that the company had managed to reduce the cost of audits by over 90%.

In a twist of fate, only a couple of hours after the interview, the Merlin exchange was hacked.

The incident serves as a stark reminder that even with the most thorough audits, vulnerabilities can still be exploited, highlighting the need for robust security measures across the entire cryptocurrency ecosystem, and as we usually state - diversification!!!

Situation is still very shady, as if Merlin, the wizard, himself cast a spell here.

Is the audit firm at fault? Can everyone continue trusting in their audit skills? Or was it a rug pull from DEX? As for now, we don't know. Take care!

TL;DR: Merlin, a decentralized exchange, was hacked for over $1.82 million after receiving a code audit from Certik, with the first funds being withdrawn less than two hours after the audit was completed.

POPULAR MYTH

Here's a myth: you cannot withdraw crypto from a cold wallet without a transaction confirmation.

When you exchange tokens through a decentralized exchange (DEX) or simply interact with smart contracts, you automatically grant them access to token transfers in your wallet.

This is necessary for the smart contract to be able to exchange your tokens.

For example, if you swap USDC for ETH through a DEX, the exchange's smart contract would gain access to your USDC in your wallet. Often, this access is unlimited.

If the smart contracts of this exchange got hacked, the hackers could withdraw all your USDC from your wallet, even if you were using a cold wallet which wasn't connected to the site.

That's exactly what happened with Merlin (see above).

This also recently happened with the SushiSwap protocol: the smart contracts of this exchange were hacked, and the hackers were able to withdraw crypto from the wallets of users who had granted the contracts unlimited permissions.

How do you protect your wallet?

The main thing you should know: if you regularly use various DEXes on different networks and swap tokens there, you should check whether you have granted unlimited access to your tokens to various contracts.

You can do this on these sites: revoke.cash; Etherscan; de.fi.

To revoke permissions, simply connect the necessary wallet to the site, find the contracts with unlimited permission, and revoke them using the Revoke button.

The main disadvantage of this method is that you will have to pay a fee to sign the revocation transaction.

If there are too many contracts, it might be easier to create a new wallet and transfer the crypto there to avoid spending on fees.

To prevent it in the future, you can simply choose not to grant contracts unlimited permissions when exchanging tokens. Many wallets have this feature.

For instance, following the SushiSwap contract breach, MetaMask introduced a new feature during the transaction signing process, allowing users to establish limits.

Suppose you are exchanging 10 USDC for ARB tokens; you can set a limit of 10, ensuring that the transaction proceeds smoothly.

In the worst-case scenario, only 10 USDC could be stolen, effectively minimizing your potential losses.

We remind you once again that disconnecting the wallet from the site or having a cold wallet does not protect you from this type of attack.

Consequently, the optimal strategy is to HODL your assets in a wallet that has never been connected to any decentralized application (dApp).

WEDNESDAY BUBBLES

Weekly check-up on how's the crypto world looking in the shape of bubbles.

Today they look reddish like radish.

SELECTED MEME OF THE DAY

BITE-SIZED NEWS

• Over 50% of Crypto Lender Hodlnaut Creditors Want Firm's Liquidation. The majority of Hodlnaut creditors demand liquidation for the troubled crypto lender.
• Solana Labs Unveils ChatGPT Plugin for AI-Powered Blockchain Interactions. Solana is taking its first steps into the world of AI.
• United Kingdom's FCA Invites Crypto Firms to Work Together on Crypto Regulations. Authorities in the UK continue to show a positive approach to the crypto industry.