Alpaca Finance Releases Integration Documentation To Curb Future Errors Like Merlin Finance’s Exploit

The documentation advises developers on what code structures to use to secure their protocols from identified vulnerabilities.

Increasing Need For Transparency

The crypto-space is increasingly getting littered with exploits and hacks. From rug pulls to flash loan attacks, the activities of criminals are threatening the credibility of the crypto industry. Recently, three different projects PancakeBunnyAutoShark, and Merlin Finance, were hacked using a similar method

On its Twitter handle, cybersecurity firm, Inspex, gave a detailed analysis of how Merlin’s code was exploited. The impact on Merlin Finance appeared to be hard enough to force it to shut down operations, as can be seen on its websiteTwitter, and Medium links. The attacks across the ecosystem warrant a need for transparency between platforms and the seriousness of their security. 


When we consider that three top-tier audit companies audited Merlin, we understand how audacious hackers can be. 

The Merlin exploit happened through the Alpaca Finance vault on its platform. After information on how the exploit occurred became clear, Alpaca Finance announced the release of documentation that would improve the security of their Binance Smart Chain logic. The documentation guides developers on how to securely integrate into Alpaca in a way that will protect them from a Merlin-style attack.


Strategies Outlined By Alpaca

The documentation advises developers of specific code formats to use when integrating their smart contracts into Alpaca Finance. The recommended formats are as follows:

Alpaca discouraged the use of MaxUint256 to approve ‘token spending allowance‘ for a vault deposit action. According to the platform, the use of MaxUint256 may introduce a security vulnerability. Alpaca instead advises that deposit calls should be made by: 

Calling the ‘deposit‘ method, 

Specify the exact deposit amount in the ‘amount Token‘ box using the data type ‘uint256’ 

Format ‘uint256‘ to the exact decimals for the tokens to be deposited.

To withdraw base tokens from the ‘vault’ contract, input the desired amount to the ‘withdraw‘ for the number of tokens to be withdrawn.

For interest-bearing transactions, the ratio of the interest-bearing token (ibToken) and the actual base token needs to be accurately determined at all times. In addition, the price of ibTokens should not depend only on the smart contract’s calculations. These two points are vital in preventing a flash loan attacker from manipulating ibToken prices.


Alpaca recommended the following steps to determine the prices of ibTokens securely: 

By smart contract calculation, deduce the price of the ibToken

Fetch the price of the ibToken from either an external price oracle or directly from Alpaca’s application programmable interface (API).

Compare the two prices. If the percentage difference is more than a single digit, reverse the transaction.

For developers who want to implement a staking function, Alpaca advocates the inclusion of these codes: 

Calling the ‘deposit‘ method with the parameters _for_pid, and _amount (uint256 format expressed in the deposited token’s decimals). 

If a user wants to harvest rewards from a staking pool, the ‘harvest‘ method must be called, and the pool ID supplied

To withdraw tokens staked in a pool, the value of the user’s share in the pool must be equal to the ‘withdraw‘ called in the contract. 


Last Words

Exploits and hacks have been a recurring issue in decentralised finance and blockchain. As is often the case, when the route used in an exploit is established, platforms take measures to fix their systems.

Alpaca Finance released this guide to developers to close the gaps identified as the loopholes in Merlin Finance, ValueDefi, and bEarn.Fi exploits and fortify the security of the Binance Smart Chain ecosystem.

About Alpaca Finance

Alpaca Finance touts itself as the biggest lending protocol that allows leveraged yield farming on BSC.  It is a community-owned project that allows lenders safe and stable yield and borrowers to get loans for leveraged yield farming positions undercollateralized. Their leverages allow borrowers to multiply their farming principles and the resulting profits. The project has partnered with other promising BSC projects like Wault Finance to expand the platform’s reach.

Source :

Leave a Reply

Your email address will not be published. Required fields are marked *