Project name: Merlin DEX
Project type: DEX
Date of exploit: April 26, 2023
Asset loss: 435 WETH, 811K USDC
Vulnerability: Privileged role
Date of audit report publishing: Apr 14, 2023
Conclusion: Within the audit report
In the Merlin DEX project, the MerlinSwapPair contract is deployed by a factory contract to create pairing pools for two tokens. The pool will be used for token exchange and liquidity management.
When the MerlinSwapPair contract is initialized, maximum allowances of two tokens inside the pool are approved to the feeTo role of the factory, which means feeTo address can withdraw all reserves in the pool directly.
On April 26, 2023, Merlin DEX pools were drained due to a vulnerability in the initialization of the MerlinSwapPair contract, leading to a loss of 435 WETH and 811K USDC.
The contract deployer withdrew all funds in Merlin DEX pools directly.
The vulnerability lies in the initialization of the MerlinSwapPair contract, which approves max allowances to the factory contract's
feeTo role. The vulnerability is in CertiK's audit scope.