Posts

🧙MerlinLab fake "hack" and how to avoid similar rug pulls!

avatar of @vlemon
25
Mr. Crypto Lemon 🍋
@vlemon
·
·
0 views
·
2 min read

Hello HODLers,

Today we are going to talk about the MerlinLab Hack that took place on June, 29th. It is a typical exploit hack but this one looks like a rugpull and I will show you why !

Merlin Lab is an auto-compound platform, a fork of PancakeBunny, was hacked and the platform lost about 240 ETH.

It was audited by Hacken / CERTIK and HAECHI but as we will see below it didn't matter as the exploited contract was a new "test".

The hacker followed a method that was similar to the Autoshark and Bunny hack.

One thing I keep telling new DeFi users is that to have the less risk you should NOT have the base asset (the farming token).

For example, for this hack, CAKE or other pools were not hacked or drained. It was the $MERL token that I was minted and crashed to 0.

The Hack explained on the Merlin Telegram Channel:

"The Merlin Dev team had deployed the Alpaca single asset vaults onto the Mainnet for testing this morning. This vault was not suppose to be publicly available or ready to launch to public.

Via the smart contract, a hacker deposited 0.1WBNB into the vault and then manually transferred 1000BNB into the contract to trick the contract into thinking it has received 1000BNB in rewards, which resulted in the minter producing MERL rewards.

Well... This looks completely BS if you ask me. So they release a non-public vault and Oh, a hacker find a breach and mint $MERL tokens for free.

I have seen this "hack" a hundred times before...

Then what was more scandalous was immediately after the hack they posted this message:

Seriously? You just had an exploit and your answer is "we shut down everything and go dark". To me it just shows they are the ones behind it.

Twitter and other means of communication were shut off right away.

3 comments on Reddit share the same thoughts I had:

  • Mind-boggling that a relatively minor exploit caused Merlin Lab to shut down entirely. They could've easily dealt with this and instituted a Bunny-type recovery plan.

  • From what I gather, in my opinion, it was a well thought out rugpull. They didn't bother telling their Community they were pulling the plug until after they'd secured their own funds. Scumbags

>Definitely a rug pull. Only reason I knew about MERL was an unsolicited be airdrop to my Metamask a month or so ago. Defi is going to end up making the case for regulation proponents. I've lost money on Bunny, BOG, and now MERL. The big red flag with MERL is they just shut it down and didn't even try to recover. Inside job IMO.**

Other projects such as $BOG or $JAWS had the decency to try to compensate and relaunch their product in order to continue what they started to build.

Maybe they also rug-pulled but they got their product back online and continue their development.

Source: https://www.merlinlab.com

What are your thoughts on this "hack" and how could we prevent these from happening ?

Posted Using LeoFinance Beta