To our Merlin community,

It has been quite a day for the Merlin team and community as the Merlin minter experienced an economic exploit that led to excess tokens being minted.

No vaults were breached. All funds are safe. We have currently paused all Merlin minting. Vaults are auto-compounding as per usual, with their rewards being in the native token only.

Summary

The incident was not a flashloan attack, as the development team had implemented security measures to mitigate the possibility of this. The incident related to an exploit of the getReward code as a large amount of CAKE tokens were manually transferred into the vault contract, which maniplated the minter to create excessive MERL as part of the vault reward. This led to a total of ~59,000 MERL minted during this process.

As this was not a flashloan exploit, a comparably much smaller amount of tokens were minted to other DeFi exploits. This means the team will rectify and rebalance the token economics to their true supply quickly with our below plans.

Next Steps

  1. The development team is rectifying the code and has engaged a White Hack Specialist consultant to work along with us in this process.
  2. We have further advised Certik & Haechi of this incident and working with them on the updated code security.

Recovery Plan

3. All MERL token holders as at May-26–2021 10:29:54 AM +UTC will be eligible for the compensation plan.

4. A compensation Merlin token — cMERL will be airdropped to the users. The details of this will be shared in a separate announcement.

5. cMERL holders will be able to earn MERL & BNB rewards from our Compensation Pool funded by The Merlin Team Contribution. The duration of the pool will last for 6 weeks.

6. Over the course of the following months, additional Development Team Funds will be used to perform burn and buyback activities to rectify token economics until true supply is reached.

The Plan Ahead

7. Once a complete review has been completed for the Merlin vaults, we will enable Merlin minting again. If you wish to receive portion of your rewards in MERL at a higher APY, you must claim only after the MERL minter has been reactivated.

8. In the coming weeks, the team will commit to launching our Lottery and additional Buyback and Burn contributions to aggressively facilitate the deflation of MERL.

Reflection

The events of this week and today’s unfortunate incident has been a great learning lesson for the Merlin team. We’ve taken the chance to restructure our internal processes and have onboarded ongoing security consultancy to bolster our security measures. Merlin will come out stronger from this and continue to ensure we offer a secure DeFi environment for our community.

Auto-compounding yield aggregator on BSC. Stake $MERL to earn BTCB, ETH, BNB.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store