The brand new Merlin DEX had only just launched on the zkSync Ethereum layer-2, with a public token sale beginning on April 25. The following day, they suddenly asked users to revoke permissions to the project, saying they believed there was an exploit. They later wrote: "it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. In the early hours of this morning the several members of the Back-End Team drained all of our Contracts."
The Merlin DEX had been audited by the CertiK security firm, which stated it was working with the remaining team members to try to trace the thieves. Meanwhile, they wrote that they would be working to compensate affected users.
Some didn't seem to buy the story that the theft was carried out by a few rogue developers, accusing the entire Merlin project team of rug-pulling.