As usual we are meeting to discuss the recent BSC hacks, and today we are going to talk about MerlinLab.
As you may have heard, on June 29th around 7 AM UTC, MerlinLab was the victim of an exploit as reported on their Telegram.
During the attack, about $330K was stolen, which significantly impacted MerlinLab’s TVL, lowering it to 1.5M. As a reminder before this event, MerlinLab had more than 100M TVL and was one of the big players in the BSC. The price has also falled from around $15 to $0.15.
Here is the wallet of the exploiter: 0x2bADa393e53D0373788d15fD98CB5Fb1441645BD
By the way, it is also important to note that this incident is not an isolated case, as Merlin had already been victim of 2 flashloan attacks last May, and had put in place protection and prevention measures following these attacks.
According to PeckShield the exploit was due to a logic bug which did not properly calculate the deserved profit.
How did MerlinLab work?
Merlin was a fork of Bunny, that is to say a copy that worked under the same model. Basically, Merlin charged a performance fee on the tokens stake in the vaults and in exchange offered its own token as a reward. Once 1 BNB was reached in terms of performance fees, 35 MERLs were minted. Thus, if the price of the BNB increased, the tokens were minted less frequently, thus ensuring price stability.
Everything was going on as normal, until the MerlinLab team decided to test their new strategy with Alpaca on their mainnet.
The problem is that by sending BNB to the contract directly, it is also converted to WBNB and considered “profit”. So basically, deposit BNB in the contract, harvest and all that BNB would be assumed to be rewardable profit.
Step by step it goes like this:
- Deposited 0.1 $WBNB to Merlin’s Alpaca Vault.
2. Transferred $546WBNB and $1ALPACA (for bypassing the reinvest condition check when executing the harvest() function) to the vault as the reward.
3. Harvested the reward to force the Merlin’s Alpaca Vault to reinvest.
4. Executed WithdrawAll() which resulted in the performance fee that will be deducted from the reward and $MERL will be minted with function mintFor() as a compensation.
5. In function mintFor(), the amount of $MERL that must be minted will be calculated with the performance fee multiplied by a static variable (merlinPerProfitBNB) which equals to “20 * 1⁰¹⁸” led to an excessive amount of minted $MERL compare to the actual $MERL price.
6. Swap all minted $MERL to $WBNB to make a profit.
In this transaction, the attacker deposited 0.1 $WBNB and transferred 546.81 $WBNB to Merlin’s Alpaca Vault. Then withdrew 382.70 $WBNB and swapped the 5,625.69 $MERL minted to be 246.29 $WBNB. Therefore, the attacker gained 82.78 $WBNB as shown in the following calculation:
246.29 + 382.70–546.81–0.1 = 82.78 $WBNB
MerlinLab have indicated on their Telegram group that they have unfortunately decided to stop their activities. Indeed, the 3rd attack seems to have been too much.
A few minutes after the announcement Merlin has shut down their medias, including Twitter and Medium.
That’s it for day, we hope you have enjoyed the article and if another big exploit happens on the BSC you can count on us to cover it!