$145K Lost as Hackers Use Merkl to Launch Unverified DeFi Scams

Hackers have found a new way to exploit decentralized finance (DeFi) users. This time, they used Merkl, a one-stop DeFi incentive platform, to create fake, unverified campaigns and drain users’ deposits. The scam targeted users on Sonic through the Euler protocol. It has already caused losses of more than $145,000.

Hackers Create Fake High-Yield Campaigns

According to DeFi user YAM, a bad actor took advantage of Merkl’s open setup to create fake campaigns. That appeared to offer triple-digit APR returns. The scam invited users to deposit USDC into what looked like a legitimate Euler vault on Sonic. However, once users deposited their funds, the attacker drained them completely.

吴说获悉，据 DeFi 玩家 YAM，黑客正在利用一站式 DeFi 协议 Merkl 创建未验证的活动以欺诈用户存款，如近期黑客通过在 Sonic 上创建三位数 APR 激励以诱导用户将 USDC 存入 Euler Vault，然后再抽干所有存款。由于 Euler…

— 吴说区块链 (@wublockchain12) October 29, 2025

Because Euler Finance is a permissionless protocol, anyone can deploy markets without approval. The attacker used this feature to launch a fake market. Using a token called scUSD as collateral and USDC as debt. They then manipulated the oracle price, a key data feed used in DeFi, setting it to an absurd $1 million per token. This allowed them to borrow 700,000 USDC against a single scUSD. This effectively gives them complete control of the vault’s funds.

How the Scam Worked

Once the fake market was live, the attacker launched an unverified campaign on Merkl. He is promoting extremely high yields to attract deposits. Users who deposited USDC into the campaign had their funds borrowed, swapped into ETH. Then transferred to the RAILGUN Project, a privacy protocol often used to hide transactions.

On-chain data shows the main operator’s wallet address as 0x8ba913e…, with funds eventually sent to 0xa86399… before disappearing into RAILGUN. Interestingly, one user, identified as 0xc0f8fe… managed to withdraw their deposit before the attacker drained it. Likely because the hacker was not actively monitoring the vault.

Reactions From the DeFi Community

Following the discovery, YAM urged users to be cautious when interacting with unverified Merkl campaigns. They also called on Merkl’s team to make it more difficult to deposit into such campaigns by adding stronger pop-up warnings.

Michael Bentley, co-founder and CEO of Euler Labs, responded by confirming. That the vault in question was clearly marked as unverified and labeled a security risk. He noted that the Euler website only allows access to unverified vaults after users manually toggle an option acknowledging the risk. “We’re now permanently blocking all links to this particular vault to prevent further use,” Bentley added.

Community members also raised questions about how DeFi users can verify if a market’s oracle is legitimate. YAM explained that oracles provide real-world price data to DeFi apps. They are often controlled by the market’s curators and must be set up carefully. A small mistake, such as an incorrect decimal or an unsecured multisig, can open doors to major exploits like this one.

Calls for Stronger Safeguards

The incident highlights a recurring issue in DeFi. The balance between permissionless innovation and user safety. Platforms like Merkl and Euler allow anyone to create or join markets freely. But that openness also gives attackers room to act. While projects clearly mark unverified campaigns. The growing number of scams shows that warnings alone may not be enough.

Users are now calling for more friction, such as mandatory verification checks or extra confirmations, to protect deposits. Currently, experts are advising users to interact only with verified campaigns and double-check contract details before depositing funds. The $145,000 exploit serves as another reminder that even in DeFi’s open world, caution is the best defense.

Source