Merlin (MERL)

Basics

• Based in:
• Started in / Announced on:
• Testnet release:
• Mainnet release: 24-4-2021
• Folded on 29-6-2021.

History

• After three audits and exploits, the team threw the towel in the ring and announced they were closing down Merlin Lab.

Audits & Exploits

• There is a bug bounty of 200,000$ (16-5-2021).
• Score of 36% on DeFi Safety (26-5-2021): "Hacken did a Merlin audit on May 15th 2021. Merlin was released April 24th 2021." With the comment: "Merlin from Binance is up with a 36%. No software docs, no visible tests (probably hidden in a private repo) and no clue how much control the admins have. No transparency, no trust."

Bugs/Exploits

• The same day as DeFi Safety released its above review, Merlin got exploited for $680.000.

• From Rekt (26-5-2021):

"The same technique has been used three times in one week. BSC developers must try harder. On May 26, 2021, 03:59:05 AM +UTC, less than 48 hrs after the Autoshark hack. Merlin Lab, (another fork of PancakeBunny), was attacked in a similar fashion to the Bunny and the Autoshark hack. As a result, the hacker was able to remove ~240 ETH (~680K USD).

• From Rekt (27-5-2021):

"Just 8 hours after the first attack, they lost another ~200 ETH to a completely different exploit. The second attack took advantage of a mistake in their new priceCalculator that mispriced only BAND. ~$550,000 dollars lost due to a fix that did more damage than good. The Merlin team have outlined a compensation plan for those who lost out in the initial attack, and the one which came afterward."

• From Rekt (29-6-2021):

"A total of $330k was stolen, bringing their TVL (total value lost) to $1,560,000, and putting them on par with Value DeFi as one of the few protocols to be so unsafe that they have three positions onto the rekt leaderboard. Merlin's reward system gave users Merlin tokens for every $ in performance fees they brought in. It was rewarding 35 MERL (~$500 at the time) for every BNB (worth ~$300). When calculating the profit of the strategy, it converted the received BNB to WBNB. The increase in WBNB balance was then seen as the profit. By sending BNB to the contract directly, it is also converted to WBNB and considered "profit". By depositing BNB in the contract, the attacker could harvest and all that BNB would be assumed to be rewardable profit. Straight to ETH, then Tornado and it’s gone."

Governance

Admin Key

• DeFi Safety (31-5-2021):

"There is no evident admin controls explained anywhere in their documentation, except that they have timelocks (though they are not defined or referenced)."

Treasury

Token

Launch

Token Allocation

Utility

Other Details

Technology

• Whitepaper can be found [insert here].
• Code can be viewed [insert here].

Implementations

• Built on: BSC

How it works

Staking

Liquidity Mining

Other Details

Team, Funding, Partners

Team

• Full team can be found [here].

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.