At 15:24 on June 29, BSC machine gun pool project Merlinlab token MERL price flash crash, from $16 to $8 in 3 minutes, a drop of 50%.
The project’s telegram group began to stir, with some believing that the price plunge was caused by a hack to issue additional tokens and then crash the market. However, the project’s admin explained that it was a large investor who crashed the market and no additional tokens were issued.
At 16:28, blockchain security firm Peckshiel issued an alert about a suspected attack on Merlinlab. Twitter blogger “John Dough” added that the hackers had already transferred 154 ETH worth of profitable funds to ethereum via the cross-chain bridge Anyswap and escaped.
At 17:21, Peckshiel tentatively concludes that a bug in MerlinStrategyAlpacaBNB was exploited.
The project side is not slow to react, 16:55 began to investigate the reasons behind the investigation.
At 17:24, the project came to the preliminary conclusion that an economic rules loophole had been exploited: the
The Merlin development team has deployed the Alpaca Single Asset Vault to the main web for testing this morning. This vault should not be publicly available or ready for release to the public.
Through a smart contract, the hacker deposits 0.1WBNB into the vault and then manually transfers 1000BNB into the contract to trick the contract into thinking it has received a 1000BNB reward, which causes the mint to generate a MERL reward.
In short, it is estimated that Merlinlab wanted to put up a new feature and pulled a contract directly in the morning to deploy to the main network for testing, which was not closely tested and caught by the hacker. Since Merlin’s incentive is calculated by the bnb received, it led to a massive increase.
This oversight by the project owner was unwarranted.
Some investors said that this vault should not be publicly available or ready to be released to the public.
The BSC community KOL Tu’au big lion brother thinks, “The team announced the reason for this hack, it’s kind of funny, the contract was manually cheated by the hacker. The specific details of the team will be announced subsequently, which also reminds other project parties need to be careful, hackers will not only attack through bugs, but also take advantage of loopholes in economic rules.”
At 17:38, Peckshiel checked out the code of the contract where the attack took place.
However, there are some investors who suspect that the team is evil.
The reason for the suspicion is: from updating the code, going online, attacking the incremental release and harvesting, all in one go in a few hours. Not an insider can’t even say that.
“The contract was released in the morning until now, not the project side, if any hacker can immediately identify the logic vulnerability to attack. Plus it’s just a contract for a test function deployed to the main network that the project side knows best.”
Others believe that “deliberately increase the release, the market is not good, only to cut miners.”
The above is just speculation, and there is no direct evidence.
Confidence is more important than gold
In fact, this is the third attack on the project, the first two attacks took place on May 26, the hackers profited from 1.2 million U.S. dollars. the MERL token price in the attack from about 40 U.S. dollars waived to 20 U.S. dollars.
A third attack after a month is undoubtedly a huge blow to the confidence of investors who are still clinging to their farming on it.
The phrase “confidence is more important than gold” could not be more appropriate in the DeFi space.
Since the attack on BSC’s once largest machine gun pool, PancakeBunny, token prices have fallen apart, TVLs have plummeted, and a large number of DeFi farmers have relocated their funds elsewhere, never to return.
PancakeBunny converts 30% of the farming revenue into Bunny, and Bunny distribution converts every BNB that generates a certain profit into Bunny according to a certain exchange rate. This distribution mechanism binds the project strongly to BNB, and there exists a certain value support. After the hack in May, PancakeBunny changed the distribution exchange rate to 1BNB=15Bunny, according to the current price of BNB at $300, the price of Bunny should be $20. However, the current price of Bunny is lower than this figure.
PancakeBunny locked up $7 billion at its height, leaving Yearn Finance, the largest machine gun pool on Ether, far behind. Today, PancakeBunny has a TVL of just under $700 million, while Yearn Finance has a TVL of over $4 billion.
It remains to be seen whether Merlinlab, as a replica of PancakeBunny, will be abandoned by the market like its predecessor or come out of a self-help path.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/another-project-of-bsc-was-hacked-is-it-a-case-of-self-stealing-or-negligence/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.