en
Back to the list

BSC-based DeFi App Merlin Loses $680K to Recurring Security Exploit

source-logo  coinfomania.com 26 May 2021 15:23, UTC

With the recent string of attacks on several DeFi protocols in recent weeks, the DeFi space has once again suffered another attack, the latest being on Merlin Lab.

According to a report on Rekt, Merlin Lab, a fork of PancakeBunny was hacked and the platform lost about 240 ETH  which was worth about $680,000 at the time it was hacked.

The hacker allegedly followed a series of steps to successfully perpetuate his act. According to the transaction details on BscScan, the hacker first deposited a small amount to the LINK-BNB Vault and obtained a getReward, then sent 180 CAKE to the LINK-BNB Vault contract. 

The hacker chose to use the wallet balance of CAKE since the performance fee obtained from that wallet can be easily tampered with by just a simple act of sending CAKE tokens to the vault contract.

The 180 CAKE token he deposited into the wallet of the vault contract attracted a large profit, prompting the system to mint 100 MERL as a reward to the hacker.

The hacker continued by repeating his earlier steps 36 times, obtaining 49K of MERL tokens in total. He then swapped the MERLIN token for ETH, 240 in number. and moved his loot out of BSC using Anyswap.

Merlin Labs is an auto-compounding yield aggregator on Binance Smart Chain where users can stake the Merl token and earn yields on BTCB, ETH, BNB, and CAKE.

During its airdrop, Merlin Lab offered to give out $25,000 worth of $MERL tokens to 1000 random participants as part of the pre-launch marketing campaign. 

The BSC-based yield aggregator also mentioned it chose to undergo security audits from 3 reputable blockchain audit firms.

The first, which was already completed, was by Hacken, a leading cybersecurity consulting company focused on blockchain security. The others, Certik , and Haechi Labs, are still in progress.

Noteworthy of the hack on Merlin Labs is not the amount that was lost but the technique the hacker used.

The method was similar to the Autoshark and Bunny hack, both also BSC-based. The Autoshark hack resulted in the loss of about $745k profit while the Bunny lost $1 billion, drained from its smart contracts. 

For the latter, the hacker, in a single transaction, exchanged the flash loan loot to BNB, and other tokens via Pancakeswap drained the platform of that amount causing the token price to drop more than 97%.

coinfomania.com