VERDICT —UNRATED
Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
The hacking of the revenue aggregator Merlin Lab stems from a logical loophole in MerlinStrategyAlpacaBNB. The contract mistakenly uses the BNB transferred by the beneficiary as mining revenue, which makes the contract issue more MERL as a reward. After repeated operations, the attacker made a profit of 300,000 US dollars. Attack method (per SlowMist): Logic Vulnerability. Reported loss: $ 300,000.
Sourced from
slowmist
Technical record
- chain
- —
- protocol
- Merlin Lab
- bug_class
- logic
- date_occurred
- 2021-06-28
- loss_usd
- $300,000
- source_id
- sm:merlin-lab::2021-06-28
Related — same bug class· logic