Merlin Labs (REKT 3): Reward Minting Manipulation (Balance Inflation)
Merlin Labs was exploited for the third time in a month when an unannounced test vault on mainnet allowed an attacker to inflate WBNB "profit" via a direct contract transfer, minting MERL tokens far beyond what was economically justified.
Summary #
Merlin Labs (REKT 3) suffered a Yield Aggregator on 2021-06-29, resulting in a loss of approximately $330K.
What happened #
Merlin Labs was exploited for the third time in a month when an unannounced test vault on mainnet allowed an attacker to inflate WBNB "profit" via a direct contract transfer, minting MERL tokens far beyond what was economically justified.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — new test vault deployed to mainnet without audit]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (new test vault)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Alpaca single-asset vaults, described as "test" deployment]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: ~5 weeks (launched late May 2021)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — new vault deployment (unannounced)]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Partially anonymous; lead engineer had left the team]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]