Today (29th of June), Merlin Lab was hacked, and $330k was stolen from the protocol. It is a third hack in the last month that has happened to Merlin.
How the hack happened?
From the Merlin Telegram Channel, we can read the following:
"The Merlin Dev team had deployed the Alpaca single asset vaults onto the Mainnet for testing this morning. This vault was not suppose to be publicly available or ready to launch to public.
Via the smart contract, a hacker deposited 0.1WBNB into the vault and then manually transferred 1000BNB into the contract to trick the contract into thinking it has received 1000BNB in rewards, which resulted in the minter producing MERL rewards.
We thank you for your patience.
The Merlin team will share detail shortly."
Rugdoc.io did a good job on analysis this exploit. Below is their twitter thread on the subject.
In summary, Merlin's reward system miss-calculated rewards and gave more Merlin Tokens in value than it has received.
What the future holds for Merlin?
MerlinLab ceased the operations after the exploit.
Being hacked for the third time within a month makes such business decision easier.
What is interesting, the new strategy was deployed about a day ago. The only account that has been interacting with it was the exploiter EOA. 🤯
That’s the attacker address 0x2bADa393e53D0373788d15fD98CB5Fb1441645BD.
Was that a rug pull or a malicious developer wanting to get rich quickly? We don't know, and we won't know probably. One thing is for sure. It's hard to trust a fork of a project which was rekted so many times.
Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I'm currently in the middle of 100 days of blogging challenge. Subscription box below 👇
If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.