Back to all stories
Blogs
Incident Analysis
Initialization Oversight: The Merlin DEX Exploit
1/8/2024
Initialization Oversight: The Merlin DEX Exploit

Project name: Merlin DEX

Project type: DEX

Date of exploit: April 26, 2023

Asset loss: 435 WETH, 811K USDC

Vulnerability: Privileged role

Date of audit report publishing: Apr 14, 2023

Conclusion: Within the audit report

Details of the Exploit

Background

In the Merlin DEX project, the MerlinSwapPair contract is deployed by a factory contract to create pairing pools for two tokens. The pool will be used for token exchange and liquidity management.

Nature of the Vulnerability

When the MerlinSwapPair contract is initialized, maximum allowances of two tokens inside the pool are approved to the feeTo role of the factory, which means feeTo address can withdraw all reserves in the pool directly.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.25.55 AM

Conclusion

On April 26, 2023, Merlin DEX pools were drained due to a vulnerability in the initialization of the MerlinSwapPair contract, leading to a loss of 435 WETH and 811K USDC.

The contract deployer withdrew all funds in Merlin DEX pools directly. The vulnerability lies in the initialization of the MerlinSwapPair contract, which approves max allowances to the factory contract's feeTo role. The vulnerability is in CertiK's audit scope.