Along with the compensation plan for affected users, CertiK urges malicious actors to return stolen funds and claim the bounty.
CertiK, a Web3, blockchain, and smart contract security firm, revealed its intention to launch a compensation plan in response to the $2 million lost during the decentralized exchange (DEX) Merlin MAGE token public sale.
In an April 26th statement, CertiK confirmed that they are actively investigating the exit scam and have involved Merlin team members to set the compensation plan in motion.
Did you know?
Subscribe - We publish new crypto explainer videos every week!
What is DeFi in Crypto? (Explained with Animations)
In the statement regarding the matter, CertiK noted:
Initial investigations indicate that the rogue developers are based in Europe, and CertiK will collaborate with law enforcement authorities to track them down if direct negotiation is unsuccessful.
In a bid to encourage the dishonest developer to return the stolen funds, CertiK is urging them to give back 80% of the loot, permitting them to keep 20% as a white hat bounty. This is a typical move from crypto-related firms to attempt and recover at least a part of stolen funds.
At the beginning of April, lending protocol Sentiment recovered a majority of stole funds after offering hackers a $95,000 bounty.
CertiK continues to pledge to support the affected users even though private key privileges fall outside the scope of a smart contract audit.
On April 26th, during the uncapped three-day MAGE token public sale, Merlin lost approximately $850,000 worth of USD Coin (USDC) and several less liquid tokens.
Evidence from blockchain data suggests that an individual with control over the liquidity pool effortlessly extracted the funds. Having audited Merlin's code, CertiK shared their preliminary findings, pointing to a "potential private key management issue."
Members of the crypto community on Twitter doubted the CertiK audit, insinuating a potential rug pull.
Thanh Nguyen, the founder of Verichains, alluded to a "backdoor" in Merlin's code, deeming it a "clear security risk as there is no use case that requires its approval."
CertiK noted that while audits can uncover potential hazards and vulnerabilities, they cannot forestall malicious actions by unscrupulous developers, such as rug pulls. On top of that, CertiK added:
We encourage users to look for projects with a ‘KYC Badge’ as an added layer of security, signifying that the project has voluntarily gone through a KYC vetting process.
CertiK is committed to reducing and mitigating the risk of insider threats like rug pulls and will continue to update the public on its compensation plan and the progress of its investigation.