On May 26, 2021, at 03:59:05 +UTC less than 48 hours after a hacker attack on the Autoshark protocol, Merlin Labs (a PancakeBunny fork) was attacked in a similar fashion to Autoshark and Bunny.
Hackers made away with ~240 ETH (~680K USD).Transaction details on BscScan.
1: A small sum is added as a deposit to the LINK-BNB Vault.
2: 180 CAKE are sent to the LINK-BNB Vault contract – the key leading to the attack.
3: getReward function is performed with the help of the deposit made to the LINK-BNB Vault from p.1.
4: Because of a large number of the CAKE tokens in the vault’s contract wallet the profit becomes bigger. As a result, the system minted 100 MERL to reward the hacker.
5: This action was repeated 36 times. The attacker received 49k MERL tokens.
6: The MERLIN tokens were then exchanged for 240 ETH and transferred via AnySwap from BSC.
The hacker used the CAKE wallet balance as their profit (performanceFee), that can be easily replaced by sending the CAKE tokens to the vault contract. Source