Date:: April 26th, 2023
Amount Stolen:: $1,800,000
Tags:: 💼 IT Workers
Likely a private key compromise or intentional backdoor insertion.
The attacker(s) stole an estimated USD 1.8 million from the protocol by draining its liquidity pools as users were adding assets as part of a “liquidity Generation Event” and token launch.
The underlying issue was overly-centralized control – namely, excessive permissions granted to the Feeto address used during liquidity pool deployment. This address had full access and permissions, enabling individual(s) controlling the address to drain the pool of assets.
The Merlin Platform placed blame on members of their back-end development team – possibly DPRK IT workers inadvertently hired by the protocol. The Platform accused the developers of maliciously manipulating the smart contracts and exploiting the full access/approvals feature, allowing them to drain the liquidity pools.
The stolen funds were bridged back to Ethereum, swapped for Ether (ETH) and transferred to other addresses.
-
The reported backend development team of Merlin DEX consisted of three different developers, which were reportedly all individuals from Serbia.
-
pos-ninja reports himself as a "BlockChain Engineer" and "Certified Blockchain Developer". As of the last time his profile was online, he had made "1,366 contributions in the last year"[5]. It appears that at some point prior to May 14th, his Github profile was deleted[6].
-
OneDev0411 describes himself as a "Full Stack Web Engineer"[7]. He put together an impressive 7,116 contributions through Github in 2022[8].
-
DotNetStar82 describes himself as "A Full-stack .Net & Blockchain Developer". He is "ready to start your project anytime" with an extensive list of skills advertised on his Github[9].
-
Like to make a development document with developing content to use that in the future.
-
Delivering perfect results at any time.
-
Keeping good communication and work on the client's time zone.
-
Ability for working with any team and prefer to share much knowledge with many developers.
-
Looking for an opportunity to build a long-term relationship with great clients all over the world.
-
sallamy2580
-
0x2744d62a1e9ab975f4d77fe52e16206464ea79b7
-
0x0b8a3ef6307049aa0ff215720ab1fc885007393d
-
0xb26fd8d55597fc832ad951cd79f843b561969de8
-
0x9d852e4b9d8b3609e60a43c56233570073f5fdb9
-
0x47c94d97b170e8301b38a2c161eb4a8a65465b93
-
0x0b8a3ef6307049aa0ff215720ab1fc885007393d Gnosis Safe
-
0x1512d031e3f66ac0f8cc3a7bb115d1b48a8aca8d
-
0xce4ee0e01bb729c1c5d6d2327bb0f036fa2ce7e2
-
0xde1ca237291a47d849aac8b2982d0f6912124174
-
0xf851ceccdaa8b0d8f9cba63550cfe591f0d85b6e - ETH, after Pancake Swap w Diff Desty Addy (to BSC via Synapse Bridge)
-
0x9934b2be6f65f3ebf293de508f2a09fadc53aebb - ETH, after Pancake Swap w Diff Desty Addy (to BSC via Synapse Bridge)
-
0x51ea97f204c14f7e4a29ac3cbd8e72e0819d7030 - ETH, after Pancake Swap w Diff Desty Addy (to BSC via Synapse Bridge)
-
0xa517bcde8de6edb898f2552e3783ed57e7150381 - ETH, after Pancake Swap w Diff Desty Addy (to BSC via Synapse Bridge)
-
0x1b18933675737ac377855a377769d36a9d1276b3 - BSC, after Pancake Swap w Diff Desty Addy (to SideShift)
-
0xd9c908fbf194463edb7a9152b5cafb54c7abd430 - BSC, after Pancake Swap w Diff Desty Addy (to SideShift)
-
0x4eaf7b39122614530dec0aa4f5bc5c146732fda6 - BSC, after Pancake Swap w Diff Desty Addy (to SideShift)
-
0x2cf37b5ce0c7d914ce272ec7a0c2e7cff7faee76
-
0x3d48818034904cd7a979f7e544a478dd8eac14f6 - BKEX depo address
-
0xee6b664d81263e4d6f084bbd8ec86e24f49d8102 - Smart Contract
-
0xf4a0fc2ff3520e3a0a0725d0f4fc951249527741 - also interacts with 0xee6 contract
-
Page 531 of The 2023 UN Report