Merlin, a decentralized exchange (DEX) built on the layer-2 scaling solution zkSync, was drained of $1 million during its public token sale, despite the exchange passing an audit by cybersecurity firm Hacken.