defirisk.co
rubric v1.7.0

Merlin DEX: Insider rug — max approval drain via privileged Feeto address

Merlin DEX's back-end team exploited Certik-approved max token approvals to drain $1.82M from its own liquidity pools two days after passing its second audit.

Occurred 2023-04-25 Loss $2M Status closed

Summary #

Merlin DEX suffered a DEX / AMM on 2023-04-25, resulting in a loss of approximately $2M.

What happened #

Merlin DEX's back-end team exploited Certik-approved max token approvals to drain $1.82M from its own liquidity pools two days after passing its second audit.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — but centralization risk dismissed by auditor]
  • RD-F-043 — causal : ★ Admin = deployer EOA + no multisig transfer within 7 days [via cross-hack: Factor 24: Retained Developer Admin Role Post-Deployment]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Feeto address held permanent max approval from pool deployment]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Mixed — front-end team public, back-end team (who executed rug) were anonymous/pseudonymous]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — concentrated liquidity DEX; custom code for zkSync]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — pools deployed fresh for the LGE]