Merlin DEX Insider Rug

On April 26, 2023, the zkSync Era DEX Merlin was drained of approximately $1.82 million within hours of its public-sale launch. Insiders with a privileged fee-receiver/owner role pulled all liquidity. The contracts had been audited by CertiK — whose report had flagged a centralization/private-key risk that users did not weigh.

What happened

Merlin's contracts retained a privileged role able to access pooled liquidity. The CertiK audit explicitly noted the centralization risk of this role; the audit "passed" in the sense that the code did what it claimed — including the privileged path that allowed insiders to drain it. Hours after launch, the role was used to withdraw all liquidity (~$1.82M). CertiK publicly stated it had identified the private-key/centralization concern and pursued partial fund recovery and victim compensation alongside the community.

Aftermath

• Partial recovery and a compensation effort followed (CertiK-coordinated).
• The incident became a flashpoint in the "what does an audit actually certify?" debate.

Why it matters

Merlin DEX is the canonical "audited but the audit flagged exactly this and nobody read it" case. It crystallises a distinction the catalogue makes repeatedly (Arbix, Swaprum): an audit assesses whether the code does what it appears to; it does not assess whether the team will abuse the powers the code grants — and when it flags those powers as a risk, that flag is the product, not a footnote. Users treated "CertiK audited" as "safe"; the audit had literally written down the risk that materialised. The defensive lesson is for users: read the audit's centralization/admin-risk section, because that is where rugs are pre-disclosed.