When I wrote about PancakeBunny exploit, I didn’t think I would be reporting the same hack for the 3rd time. But that’s our reality when projects fork another project’s code without changing much. Without even trying to stop the protocol and fix the issue because the project they forked got hacked for ~$40M.
Merlin Lab was attacked in a very similar fashion to PancakeBunny and AutoShark before it. Hacked occurred on May 26th, 2021 03:59:05 AM +UTC.
Credit for the below explanation goes to WatchPug.
- Added a small sum of deposit to the LINK-BNB Vault (with this transaction ).
- Send 180 CAKEto the LINK-BNB Vault contract.(this is important! this is the key that leads to the hack.)
- Call getReward with the deposit of LINK-BNB Vault from the first step.
- With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 2), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 100 MERLIN as a reward to the hacker.
- Repeated 36 times. Got 49K of MERLIN token in total.
- Swapped MERLIN token into 240 ETH and transferred out of BSC using Anyswap.
What to do next?
I could recommend checking twice the code you’re forking and getting an audit even if the original code was audited. Please don’t make changes to the code you don’t understand etc. I’ve already written about this.
This time I can recommend a read from another source that talks about the same stuff. CertiK prepared a fantastic piece about understanding security risks in DeFi. I highly encourage you to read it.
Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I’m currently in the middle of 100 days of blogging challenge. Subscription box below 👇
If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.
See you tomorrow!