Merlin Labs: External token balance spoofing → excess native token minting
Merlin Labs, a PancakeBunny fork audited just 11 days prior, lost $680K when an attacker sent CAKE tokens directly to a vault contract, tricking it into minting excess MERL rewards 36 times.
Summary #
Merlin Labs suffered a Yield Aggregator / Vault (PancakeBunny fork) on 2021-05-26, resulting in a loss of approximately $680K.
What happened #
Merlin Labs, a PancakeBunny fork audited just 11 days prior, lost $680K when an attacker sent CAKE tokens directly to a vault contract, tricking it into minting excess MERL rewards 36 times.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived Hacken review conducted 11 days prior]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: 36 repeated calls to getReward() interspersed with external CAKE sends — pattern would stand out in mempool/event monitoring]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — PancakeBunny fork]