To our Merlin community,
It has been quite a day for the Merlin team and community as the Merlin minter experienced an economic exploit that led to excess tokens being minted.
No vaults were breached. All funds are safe. We have currently paused all Merlin minting. Vaults are auto-compounding as per usual, with their rewards being in the native token only.
The incident was not a flashloan attack, as the development team had implemented security measures to mitigate the possibility of this. The incident related to an exploit of the getReward code as a large amount of CAKE tokens were manually transferred into the vault contract, which maniplated the minter to create excessive MERL as part of the vault reward. This led to a total of ~59,000 MERL minted during this process.
As this was not a flashloan exploit, a comparably much smaller amount of tokens were minted to other DeFi exploits. This means the team will rectify and rebalance the token economics to their true supply quickly with our below plans.
- The development team is rectifying the code and has engaged a White Hack Specialist consultant to work along with us in this process.
- We have further advised Certik & Haechi of this incident and working with them on the updated code security.
3. All MERL token holders as at May-26–2021 10:29:54 AM +UTC will be eligible for the compensation plan.
4. A compensation Merlin token — cMERL will be airdropped to the users. The details of this will be shared in a separate announcement.
5. cMERL holders will be able to earn MERL & BNB rewards from our Compensation Pool funded by The Merlin Team Contribution. The duration of the pool will last for 6 weeks.
6. Over the course of the following months, additional Development Team Funds will be used to perform burn and buyback activities to rectify token economics until true supply is reached.
The Plan Ahead
7. Once a complete review has been completed for the Merlin vaults, we will enable Merlin minting again. If you wish to receive portion of your rewards in MERL at a higher APY, you must claim only after the MERL minter has been reactivated.
8. In the coming weeks, the team will commit to launching our Lottery and additional Buyback and Burn contributions to aggressively facilitate the deflation of MERL.
The events of this week and today’s unfortunate incident has been a great learning lesson for the Merlin team. We’ve taken the chance to restructure our internal processes and have onboarded ongoing security consultancy to bolster our security measures. Merlin will come out stronger from this and continue to ensure we offer a secure DeFi environment for our community.