Beosin: Analysis of the Attack Incident on zkSync Ecosystem DEX Merlin

ChainCatcher message: According to the monitoring of the Beosin EagleEye security risk monitoring, early warning, and blocking platform under the blockchain security audit company Beosin, on April 26, 2023, the liquidity pool of Merlin Dex on the zksync chain (address 0x82) was attacked.

The specific process was that the attacker address one (address 0x27) directly called the transferFrom function to withdraw 811K USDC from the pool, and then cross-chained it to its Ethereum mainnet address via Anyswap. The attacker address two (address 0xcE) extracted 435.2 ETH from the token1 contract (WETH) and cross-chained it to the Ethereum mainnet address (address 0x0b), resulting in a total profit of approximately 1.8 million USD. The Beosin KYT anti-money laundering analysis platform found that the stolen funds are still held in the two aforementioned attacker’s Ethereum mainnet addresses, and Beosin will continue to monitor the stolen funds.