Hacker uses Merkl to launch unverified DeFi scam resulting in $145,000 loss

Hackers have discovered a new way to exploit decentralized finance (DeFi) users. This time, they utilized Merkl, a one-stop DeFi incentive platform, to create fake and unverified campaigns to drain users’ deposits. The scam targeted Sonic users through the Euler protocol. It has already caused losses of more than $145,000.

Hackers create fake high-yield campaigns

According to DeFi user YAM, malicious attackers took advantage of Merkl’s open configuration to create fake campaigns. This looked like it would give me a triple digit APR return. The scam prompted users to deposit USDC into what appeared to be a legitimate Euler vault on Sonic. However, once users deposited their funds, the attackers completely depleted them.

Euler Finance is a permissionless protocol, so anyone can run a market without authorization. Attackers used this feature to launch a fake market. We use USDC as debt while using a token called scUSD as collateral. They then manipulated the oracle price, a key data feed used in DeFi, setting it at an exorbitant price of $1 million per token. This allowed me to borrow 700,000 USDC for one scUSD. This effectively gives you complete control over the funds in your safe.

fraud techniques

Once the fake market was up and running, the attackers launched an unverified campaign against Merkl. He is pushing extremely high yields to attract deposits. Users who deposited USDC into the campaign borrowed the funds and exchanged them for ETH. It was then transferred to the RAILGUN project, a privacy protocol often used to hide transactions.

On-chain data shows the main operator’s wallet address as 0x8ba913e… and the funds are ultimately sent to 0xa86399… and disappear into RAILGUN. Interestingly, one user, identified as 0xc0f8fe…, was able to withdraw his deposits before the attackers spent them. This is probably because the hacker wasn’t actively monitoring the safe.

Reactions from the DeFi community

Following this discovery, YAM urged users to be careful when using unverified Merkl campaigns. They also asked Merkl’s team to make it more difficult to deposit into such campaigns by adding stronger pop-up warnings.

Michael Bentley, co-founder and CEO of Euler Labs, responded positively. The vault in question is clearly marked as unverified and labeled as a security risk. He pointed out that Euler’s website only allows access to unverified vaults if users acknowledge the risks and manually toggle the option. “We are now permanently blocking all links to this particular vault to prevent future use,” Bentley added.

Community members also raised questions about how DeFi users can verify whether market oracles are legitimate. YAM explained that the oracle will provide real-world price data to DeFi apps. These are often controlled by market administrators and must be configured carefully. Small mistakes, such as decimal errors or insecure multisigs, can open the door to serious exploits like this one.

Seek stronger safeguards

This incident highlighted a recurring problem in DeFi. Balancing permissionless innovation and user safety. Platforms like Merkl and Euler allow anyone to freely create and participate in markets. But that openness also gives attackers room to maneuver. Meanwhile, the project is clearly marked with unverified campaigns. The increasing number of scams shows that warnings alone are not enough.

Users are now demanding more friction, such as mandatory verification checks and additional verifications, to protect their deposits. Experts currently advise users to only use verified campaigns and double-check contract details before depositing funds. The $145,000 exploit is yet another reminder that even in the open world of DeFi, caution is the best defense.