On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.
On April 26, 2023, Merlin DEX pools were drained due to a vulnerability in the initialization of the MerlinSwapPair contract, leading to a loss of 435 WETH and 811K USDC.