Valix Consulting
Published in

Valix Consulting

Merlin Lab — Incident Case Analysis

By Phuwanai Thummavet

This report analyzes the incident of Merlin Lab exploited on Jun-29–2021 01:38:21 AM +UTC.

On Jun-28–2021 11:46:36 AM +UTC, Merlin deployed a new strategy for Alpaca-BNB, called MerlinStrategyAlpacaBNB. The attack then began after 14 hours of the strategy deployment.

Table of Contents

  • TLDR
  • Associated Addresses
  • Incident Analysis
  • Associated Transactions
  • Summary

TLDR

Figure 1. Each attack transaction comprised of seven steps

The attacker executed 25 significant transactions to profit from the newly deployed Merlin’s strategy for Alpaca-BNB.

Each attack transaction comprised of seven steps, as depicted in Figure 1, including:

  1. Deposited 0.1 WBNB to Merlin’s Alpaca Vault
  2. Transferred a certain amount of WBNB to Merlin Proxy Contract
  3. Transferred 1 ALPACA to Merlin Proxy Contract
  4. Harvested the ALPACA reward
  5. Obtained incorrectly minted MERL reward
  6. Withdrew the deposited 0.1 WBNB
  7. Swapped the incorrectly minted MERL for a profit in WBNB

After executing the 25 attack transactions, the attacker took a profit of 1077.45 WBNB in total. You can find the details of the transactions in the Associated Transaction section below.

Incident Analysis

In this section, we give you a detailed step-by-step analysis of the incident. One of the 25 attack transactions was picked to investigate, transaction id: 0x31fdf621f60684579de00f30b33fa051c19f1fd45d891c817e2a3888a9b75726. The attacker, in addition, used the same technique for the other transactions.

Figure 2. Overview of Smart Contracts interaction

The attacker exploited the attack by deploying a custom smart contract as an attack automated tool called Attacker Contract.

As illustrated in Figure 2, the attacker invoked the deployed Attacker Contract. The Attacker Contract then atomically executed sequential calls to other related contracts to profit the attacker within a single transaction.

The attack transaction can be broken down into seven steps as follows.

Step 1: Deposited 0.1 WBNB to Merlin’s Alpaca Vault

Figure 3. The _deposit function of Merlin Contract

The attack began by the attacker made a call to the Attacker Contract. Then, the Attacker Contract transferred 0.1 WBNB to the _deposit function of Merlin Proxy as Step 1.

The function then deposited the received 0.1 WBNB to the Alpaca Vault to mint ibBNB tokens for the Attacker Contract (line no. 201). The function then calculated shares and principal variables (line no’s. 214–218) reflecting a deposit portion of the Attacker Contract in the MerlinStrategyAlpacaBNB’s pool.

Note, the ibBNB is the Alpaca’s interest-bearing token used to keep track of the users’ deposited funds and any interest earned.

Step 2: Transferred 546.712 WBNB to Merlin Proxy Contract

Figure 4. The transfer function of WBNB Contract

Then, the Attacker Contract called the transfer function on WBNB Contract to transfer 546.712 WBNB to Merlin Proxy Contract as Step 2.

Step 3: Transferred 1 ALPACA to Merlin Proxy Contract

Figure 5. The transfer function of Alpaca Contract

Next, the Attacker Contract called the transfer function on Alpaca Contract to transfer 1 ALPACA to Merlin Proxy Contract as Step 3.

Step 4: Harvested the ALPACA reward

Figure 6. The _harvest and _tryReinvest functions of Merlin Contract

In Step 4, the Attacker Contract executed the _harvest function to harvest the ALPACA reward. The _harvest function has a staking check (line no. 192). However, since the Attacker Contract has previously deposited 0.1 WBNB in Step 1, the deposit bypassed the staking check logic here.

Since the deposit of 0.1 WBNB to the Alpaca Vault in Step 1 has just performed, within the same transaction as Step 4, there was no ALPACA reward earned (line no. 194). However, the attacker’s objective for executing this step was to invoke the _tryReinvest function (line no. 196).

Since the _tryReinvest function has the reward amount check logic in line no. 209, the control flow would pass this check if and only if the rewardTokenAmount is more than or equal to the rewardTokenSwapThreshold.

Because the function considered the deposit of 1 ALPACA in Step 3 as a reward, rewardTokenAmount, the condition check was bypassed. Next, the function swapped the deposited 1 ALPACA for 0.001424 WBNB via PancakeSwap Router (line no. 212).

Subsequently, once the function looked up for its balance, the function found 546.713 WBNB (i.e., 546.712 WBNB from the transfer in Step 2 + 0.001424 WBNB from the reward swap in line no. 212). Surprisingly, the function determined this balance as stakingTokenAmount (line no. 215).

Eventually, the function deposited the stakingTokenAmount, 546.713 WBNB, to the Alpaca Vault, and the addition ibBNB tokens were minted for the Attacker Contract (line no. 221).

Step 5: Obtained incorrectly minted MERL reward

Figure 7. The _getRewards function of Merlin Contract

Later, the Attacker Contract invoked the _getRewards function as Step 5. Intriguingly, the function considered the deposited 546.713 WBNB in the previous step as the earnedWantTokenAmount (line no. 276).

In line no. 299, the earnedWantTokenAmount was passed as an argument into the function _addProfitReward, and this is where the incorrect MERL tokens were minted as rewards by mistake. We will have a look into the details of this function later on.

After the execution in line no. 299 succeeded, the earnedWantTokenAmount would hold some profit reward of 382.7 WBNB. This reward was then transferred to the Attacker Contract (line no. 303).

Figure 8. The _addProfitReward function of Merlin Contract

Let’s investigate how the incorrect MERL tokens were mistakenly minted. The reward of 546.713 WBNB was passed as theamount argument into the _addProfitReward function. The amount was used to calculate a performance fee (line no. 236), which was 164014164406883244159 in this case. After that, the performance fee was passed into the mintFor function (line no. 245).

Figure 9. The mintFor function of Merlin Contract

In the mintFor function, the new _performanceFee was calculated (line no’s. 211–212). The contribution parameter was computed from the _performanceFee (line no’s. 214–215). Consequently, the resulting contribution was used by the amountMerlinToMint function to calculate the amount of MERL tokens to mint as rewards (line no. 224). The incorrect 5,625.685 MERL were minted for the Attacker Contract (line no. 226).

Figure 10. The amountMerlinToMint function of Merlin Contract

And, the amountMerlinToMint function was the root cause of the exploit. This function calculated the amount of MERL tokens that would be minted for the Attacker Contract as rewards.

The following equation was being used:

mintMerlin = bnbProfit * merlinPerProfitBNB / 10^18

Where the merlinPerProfitBNB had a fixed value of 350000000000000000, the mintMerlin was 5,625.685, which considered an invalid value as the fixed value of the merlinPerProfitBNB did not reflect the actual price of MERL comparing to the price of BNB at that moment.

Step 6: Withdrew the deposited 0.1 WBNB

Figure 11. The withdrawAll function of Merlin Contract

After the incorrect 5,625.685 MERL was taken, the Attacker Contract invoked the withdrawAll function as Step 6. This function withdrew the deposit of 0.1 WBNB (in Step 1) from Alpaca Vault (line no. 157). The deposit amount deducted from the withdrawalFee and the performanceFee, 0.0995 WBNB, was transferred to the Attacker Contract (line no. 175).

Step 7: Swapped the incorrectly minted 5,625.685 MERL for 246.289 WBNB

Figure 12. The swapExactTokensForTokens function of PancakeSwap Contract

Step 7 was performed as the final step. The Attacker Contract invoked a call to the swapExactTokensForTokens function to swap the incorrectly minted 5,625.685 MERL for 246.289 WBNB through PancakeSwap Router.

Profit gained from this transaction

amountIn = 382.7 WBNB (Step 5) + 
0.099 WBNB (Step 6) +
246.289 WBNB (Step 7)
= 629.088 WBNB
amountOut = 0.1 WBNB (Step 1) +
546.712 WBNB (Step 2) +
0.001 WBNB (Step 3)
= 546.813 WBNB
txFee = 0.012 WBNBprofitGained = amountIn - amountOut - txFee
= 629.088 WBNB - 546.813 WBNB - 0.012 WBNB
= 82.263 WBNB

The attacker gained a profit from the considered transaction of 82.263 WBNB.

Associated Transactions

There were 25 significant transactions during the attack, generated by 4 Attacker Contracts as follows.

Transactions executed by Attacker Contract #1

  1. 0x1ba1fd3ba2605314eee424abef0e42667a3bac739359b0a27d7c7f87b09f6798
    Profit Gained: 0.037 WBNB

Transactions executed by Attacker Contract #2

  1. 0x4dcf37a6d5ed7786fc7f103258a245ba8dcd813b57a5bc516eda68f56c26fec8
    Profit Gained: 8.595 WBNB

Transactions executed by Attacker Contract #3

  1. 0x0fed4bde0e389434925f6aa2072c5b862bc0878908c39e4c165c86872584a609
    Profit Gained: 10.622 WBNB

Transactions executed by Attacker Contract #4

  1. 0x3be6c0ab07d7fa03bca44b0d0aa4093e67dca2747278cf2951740f2cd8db5a0f
    Profit Gained: 12.684 WBNB
  2. 0x163314b66bacee77c6e13a5063c37ad1201fa14f93a57fdb1099085b462b151a
    Profit Gained: 15.706 WBNB
  3. 0xba2e4151b0a032075455b7c35f6f16afe8dc054fcc513abf5fadaf2c82eb8485
    Profit Gained: 19.354 WBNB
  4. 0x09fdb6b036175c762809fc9e157f9ff27b203f24885b0516cb958ebfb6bf7295
    Profit Gained: 23.711 WBNB
  5. 0xf527bb753045700435a2d233e5fa007e5c41c09b534f22e70f90d0fb1e0d89ba
    Profit Gained: 28.838 WBNB
  6. 0xcf2fa2aad34b0368c903446821aae24626b0a5f15c74b23242083711f6034da2
    Profit Gained: 34.767 WBNB
  7. 0xc9bc30c2e8f6dcd769e05ae0f0413436b652e3976f144eb662adfb5ebc68fced
    Profit Gained: 41.464 WBNB
  8. 0xc653926bc4ee7a1e661aafe5aa677e444b82a3938908ba236952ab3eb78d9a06
    Profit Gained: 48.816 WBNB
  9. 0x0451b4d0c777a82c5510505c7b849c301cc462dee8d39ae7576d6acc5bdcaf36
    Profit Gained: 56.584 WBNB
  10. 0x27577113330c7a24bfbe3b1d12a7e39ed13ae652a639cebaaf187c140d3fc1bb
    Profit Gained: 64.394 WBNB
  11. 0x4ccf7e11f1e542f4a9b58ef528d557aec9691f4c1ee86940a82c6be90fbd3d8f
    Profit Gained: 71.723 WBNB
  12. 0x37ea9fb064ebcdcb191c3002ea067a3b9ad6d51d3dc9f423ceb3aec069542ff1
    Profit Gained: 77.917 WBNB
  13. 0x31fdf621f60684579de00f30b33fa051c19f1fd45d891c817e2a3888a9b75726
    Profit Gained: 82.263 WBNB
  14. 0xb0be09a44e4afd2e84c391dd3759e76462524cc323181f8d0b9563f16e0e5961
    Profit Gained: 84.078 WBNB
  15. 0x3dd26b84dd8f302232aa85ecfbf6a95a30c707557ec2902fa8206e6f4fba64b3
    Profit Gained: 82.837 WBNB
  16. 0xa93ed3833ea5c16655ea07a42a40c2866e26add45e27563a64e12c4dcab0b32f
    Profit Gained: 78.3 WBNB
  17. 0x903ae34f48d4e00da8d7ca5dfad26f8f37e80cde2156907580cf551a63317f76
    Profit Gained: 70.517 WBNB
  18. 0x8e70209ceef833e964c36d5c947b0adfbc60d8845f3ffc03588544408132ee15
    Profit Gained: 59.924 WBNB
  19. 0x3f30562e347f31be2eb3ce27455606025ecc748b91b95bc5abe8291c6061efdc
    Profit Gained: 47.215 WBNB
  20. 0x09cea6d81cadc548aa4727e295511b3b429bf1b439a6a1c603d9454461920242
    Profit Gained: 33.246 WBNB
  21. 0xf48f28a24571ffded2a0e06cbf30acfb4db085a4a2c8dc659d2dbf16344ae1de
    Profit Gained: 18.899 WBNB
  22. 0x9d0f75824f85f108063f6d138aabadc5146d2e5cada3e7928568d6b2519f5068
    Profit Gained: 4.959 WBNB

Total Profit Gained

The attacker gained a profit of 1077.45 WBNB.

Summary

The attacker used custom Smart Contracts as an automated tool to facilitate their attacks. The attacker executed 25 significant transactions during the raid that made the attacker gain 1077.45 WBNB.

Figure 13. Merlin Lab announced to cease its operations

After being attacked, Merlin Lab announced to cease its operations. Users who are farming via Merlin’s pools are asked to withdraw their funds as the website is shutting down, unless they may need to withdraw their funds through BscScan or other supported platforms instead.

Author Details

Phuwanai Thummavet (serial-coder), Lead Blockchain Security Auditor and Consultant | Blockchain Architect and Developer.

See the author’s profile.

About Valix Consulting

Valix Consulting is a blockchain and smart contract security firm offering a wide range of cybersecurity consulting services. Our specialists, combined with technical expertise with industry knowledge and support staff, strive to deliver consistently superior quality services.

For any business inquiries, please get in touch with us via Twitter, Facebook, or info@valix.io.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Valix

Valix

Valix Consulting is a blockchain and smart contract security firm offering a wide range of cybersecurity consulting services.