Merlin Lab Performance Fee Minting Incident Analysis

The Exploit

How?

  1. Added a small sum of deposit to the LINK-BNB Vault (with this transaction).
  2. Send 180 CAKE to the LINK-BNB Vault contract. (this is important! this is the key that leads to the hack.)
  3. Call getReward with the deposit of LINK-BNB Vault from the first step.
  4. With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 2), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 100 MERLIN as a reward to the hacker.
  5. Repeated 36 times. Got 49K of MERLIN token in total.
  6. Swapped MERLIN token into 240 ETH and transferred out of BSC using Anyswap.

Why?

Use wallet balance of CAKE as the profit (performanceFee) which can be easily tampered with by just sending the CAKE token to the vault contract.

About Us

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store