CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Initialization Oversight: The Merlin DEX Exploit
1/8/2024
Initialization Oversight: The Merlin DEX Exploit

Project name: Merlin DEX

Project type: DEX

Date of exploit: April 26, 2023

Asset loss: 435 WETH, 811K USDC

Vulnerability: Privileged role

Date of audit report publishing: Apr 14, 2023

Conclusion: Within the audit report

Details of the Exploit

Background

In the Merlin DEX project, the MerlinSwapPair contract is deployed by a factory contract to create pairing pools for two tokens. The pool will be used for token exchange and liquidity management.

Nature of the Vulnerability

When the MerlinSwapPair contract is initialized, maximum allowances of two tokens inside the pool are approved to the feeTo role of the factory, which means feeTo address can withdraw all reserves in the pool directly.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.25.55 AM

Conclusion

On April 26, 2023, Merlin DEX pools were drained due to a vulnerability in the initialization of the MerlinSwapPair contract, leading to a loss of 435 WETH and 811K USDC.

The contract deployer withdrew all funds in Merlin DEX pools directly. The vulnerability lies in the initialization of the MerlinSwapPair contract, which approves max allowances to the factory contract's feeTo role. The vulnerability is in CertiK's audit scope.

Related Stories
The CertiK Ambassador Program
Blogs
Announcements
The CertiK Ambassador Program is an initiative designed to empower our community's most enthusiastic members to play a vital role in promoting a safer blockchain environment while being rewarded for their passion and dedication.
3/11/2024
Narwhal Incident
Reports
Incident Analysis
Narwhal’s token experienced two considerable drops within a two day period leading to an overall slippage of approximately 99%. The project’s official X account @Narwhal_fyi, announced that they had experienced an exploit, but did not give any specific details. Initial indications pointed to a private key compromise, however on-chain links suggest this incident was an exit scam. Approximately $1 million worth of funds were deposited into Tornado Cash with a further $410,000 sitting in two wallets. In this blog, we will outline the suspicious links that indicate that this incident is an exit scam.
1/10/2024
Slippery Rug: The Uncontrolled Launch of Smashcash
Blogs
Incident Analysis
On Feb 13, 2023, Smashcash was reported with a potential rug pull implanted within the initial token distribution, where the wallets that received the initial distribution sold the tokens for ~45.6 BNB.
1/8/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;