defirisk.co
rubric v1.7.0

Merlin Labs (REKT 2): Oracle Mispricing

Merlin Labs was exploited for the second time in a single day when an emergency patch introduced a new oracle mispricing bug affecting the BAND token, yielding ~$550K to the attacker.

Occurred 2021-05-27 Loss $550K Status closed

Summary #

Merlin Labs (REKT 2) suffered a Yield Aggregator on 2021-05-27, resulting in a loss of approximately $550K.

What happened #

Merlin Labs was exploited for the second time in a single day when an emergency patch introduced a new oracle mispricing bug affecting the BAND token, yielding ~$550K to the attacker.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new priceCalculator was not audited; it was an emergency patch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-hack patch)]
  • RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — priceCalculator was deployed same day as first hack as a fix]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: ~2 weeks at first hack]
  • RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol] || Chronic flag (≥3 prior exploits) [via cross-hack: Factor 59: Three-or-More Exploit History]
  • RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — BAND mispriced by new calculator]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — emergency patch deployed between attacks]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Partially anonymous]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]