Rogue developers made off with millions of investor funds from DeFi project Merlin by exploiting a backdoor in the protocol’s code, sparking a debate about the role code audits play in DeFi security.
Investors in Merlin, a recently-launched project that touted itself as a decentralised exchange on the buzzy zkSync blockchain, lost $1.82 million on Wednesday after its developers ran off with the cash.
Although such “rug pulls,” or exit scams by developers, are common in crypto, what sets Merlin apart is that the project had been code-audited by security firm CertiK just a few days before the heist.
CertiK missed a critical vulnerability
Some now argue that the auditor missed a critical vulnerability in the protocol’s code.
“There was an obvious malicious logic in the [smart] contract which was not pointed out during the audit,” Andy Zhou, CEO of crypto security firm BlockSec, told DL News. He explained that Merlin’s code allowed its developers to withdraw tokens from the protocol through a feature he had never seen in the code of a typical decentralised exchange.
“This should have been captured and warned to the community,” Zhou said.
Hugh Brooks, director of security operations at CertiK, told DL News that the firm “raised concerns about the level of centralised privileges and capabilities of owner-specific functions, which were held by wallets operated by the Merlin team.”
“These concerns were detailed in the audit report, which we made – as we always do – freely available to the public,” Brooks said.
But the code audit report contains “no warning about any master key” which would allow one to steal tokens, Mikko Ohtamaa, CEO of trading protocol Trading Strategy, told DL News. The specific smart contract where the incident happened is called MerlinSwapPair, he said, and the audit doesn’t mention “someone can take all the money in MerlinSwapPair.”
“And if they would have spotted it, it would need to be a critical or at least high vulnerability,” Ohtamaa said.
Downgraded after the rug pull
In its April 14 audit, CertiK awarded Merlin a high security score of 90, which was then touted as a sign that the protocol is safe to invest in.
“An audit is not a stamp of approval or a ‘pass’ or fail, it’s an objective review of a project’s code,” CertiK’s Brooks said. “We always encourage users to read and understand audit reports before getting involved with a project.”
In the face of criticism, CertiK announced it is “exploring a community compensation plan” to refund victims and has urged the “Europe-based” rogue developers to return the bulk of the stolen funds and keep 20% – worth about $400,000 – for the trouble.
Merlin is not the first protocol to pass a CertiK audit only to have vulnerabilities in its code uncovered at a later date.
In January last year, the developers of Arbix Finance, a DeFi protocol on BNB Chain, stole $10 million three months after a CertiK audit marked all major or critical issues as resolved. Following the incident, CertiK said that “the exploited contract was not in the audit scope that was done for Arbix.”
Two more DeFi protocols – Akropolis and Saddle Finance – have also previously been exploited after CertiK audits. CertiK did not publicly comment on its audits of the two protocols following the incidents, and a spokesperson for the company declined to comment to DL News.
‘Stamp of approval for rug-pull teams’
The fallout comes as the crypto industry debates the merits of AI-powered audits of smart contracts.
Ohtamaa said CertiK’s reports read like “automatically generated flowcharts” and said the audit missed the critical vulnerability that powered the rug pull because it is “outside the scope of the automation tool they use – they don’t even use a human,” he claimed.
“When reading the audit report from CertiK, it gives the feeling of an automatically generated PDF, and not a security review,” Ohtamaa said.
”That is not correct at all,” Brooks said. “We have a team of around 150 human auditors, and manual review is a component of each and every audit.”
Audits often start with the assumption that the developers want to make sure they have not written shoddy code that could leave open a door for malicious actors.
“One aspect that is usually ignored is: what if the protocol itself is malicious?” Zhou told DL News. “In this case, during the audit, the threat model should be changed to locate possible backdoors in the contracts.”
“One can really only trust auditors that have a skin in the game and care about the security of the blockchain community as a whole,” Ohtamaa said, not those “known to take all the money, but never admit their responsibility acting as a cheap stamp of approval for rug-pull teams.”