Hackers have discovered a new method to target decentralized finance (DeFi) users, this time exploiting Merkl, a DeFi incentive platform, to create fake and unverified campaigns that drained users’ deposits. The scam, which targeted users on Sonic via the Euler protocol, has already resulted in losses exceeding $145,000.
Hackers Launch Fake High-Yield Campaigns
According to DeFi user YAM, a malicious actor exploited Merkl’s open-access framework to launch fraudulent campaigns promising triple-digit APR returns. These campaigns appeared to be linked to a legitimate Euler vault on Sonic, tricking users into depositing their USDC. Once the funds were deposited, the attacker emptied the vault, stealing the entire amount.
Because Euler Finance operates as a permissionless protocol, anyone can deploy new markets without prior approval. The attacker exploited this feature to create a fake market, using a token named scUSD as collateral and USDC as debt. By manipulating the oracle price — the data feed that provides market prices in DeFi — the hacker set the value of scUSD to a ridiculous $1 million per token. This allowed them to borrow 700,000 USDC against a single scUSD, effectively granting full control over the vault’s funds.
How the Scam Worked
Once the fake market went live, the attacker launched an unverified campaign on Merkl, advertising extremely high yields to lure investors. Unsuspecting users deposited USDC into what appeared to be a legitimate opportunity. In reality, the attacker used the borrowed funds to swap USDC into ETH and then transferred the assets to the RAILGUN Project, a privacy protocol often used to obscure transaction trails.
On-chain data shows the attacker’s main wallet as 0x8ba913e…, with funds eventually moving to 0xa86399… before vanishing into RAILGUN. Interestingly, one user (0xc0f8fe…) managed to withdraw their deposit just in time — likely because the hacker wasn’t actively monitoring the vault when the withdrawal occurred.
Reactions From the DeFi Community
After uncovering the scam, YAM urged users to be extra cautious when engaging with unverified Merkl campaigns, recommending that Merkl introduce stronger deposit warnings and clearer risk indicators.
Michael Bentley, co-founder and CEO of Euler Labs, confirmed that the affected vault had been clearly labeled as unverified and flagged as a security risk. He explained that Euler’s website only grants access to such vaults after users manually acknowledge the risk, adding,
“We’re now permanently blocking all links to this particular vault to prevent further use.”
Community members also questioned how DeFi users can ensure that a market’s oracle is trustworthy. YAM clarified that oracles — which feed real-world price data to DeFi protocols — are usually controlled by market curators and require meticulous setup. Even small errors, such as a wrong decimal point or a poorly secured multisig, can open the door to serious exploits.
Calls for Stronger Safeguards
The incident underscores a long-standing challenge in DeFi: balancing permissionless innovation with user protection. Platforms like Merkl and Euler enable open participation and experimentation — but that same openness also creates opportunities for attackers.
While unverified campaigns are labeled as risky, the rising frequency of scams suggests that warnings alone aren’t enough. Users and developers alike are now calling for stricter verification measures, such as mandatory contract checks, enhanced pop-up alerts, or extra confirmation steps before deposits are approved.
For now, experts advise users to stick to verified campaigns and double-check contract details before committing funds. The $145,000 exploit stands as a fresh reminder that even in DeFi’s open and innovative landscape, vigilance remains the strongest defense.
