According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin, the Merlin Dex liquidity pool (0x82cf66e9a45Df1CD3837cF623F7E73C1Ae6DFf1e) on the zksync chain was attacked on April 26, 2023. Attacker address 1 (0x2744d62a1e9ab975f4d77fe52e16206464ea79b7) directly calls the transferFrom function to transfer 811K USDC from the pool, and then cross-chains to its Ethereum mainnet address through Anyswap. Attacker address 2 (0xcE4ee0E01bb729C1c5d6D2327BB0F036fA 2cE7E2) Extracted 435.2 from the token1 contract (WETH) eth was transferred to the Ethereum mainnet address (0x0b8a3ef6307049aa0ff215720ab1fc885007393d) through Anyswap cross-chain, with a total profit of about 1.8 million US dollars. The Beosin KYT anti-money laundering analysis platform found that the stolen funds were still stored on the above two Ethereum mainnet addresses of the attackers , Beosin will continue to monitor the stolen funds.