Quick update following yesterday’s situation with the creation of a scammy Euler vault and an incentive campaign by a bad actor on @merkl_xyz
The first thing to note is that Merkl operates as a permissionless platform: anyone can create a campaign on top of any asset/pool using Merkl, provided that they use a reward token that we've whitelisted.
That being said, as maintainers of the Merkl app, we recognize our responsibility to protect users. Everyone deserves clear warnings and the tools necessary to conduct proper due diligence before committing to any opportunity, especially those carrying significant risk.
On this topic in particular, as soon as we were notified of the potential danger on this vault, we labeled it as UNVERIFIED and later proceeded with removing it from the Merkl app.
We're working on adding extra safeguards to prevent scammy incentive campaigns from appearing on our frontend. We’re also collaborating with protocols to improve metadata parsing, spot risky vaults or markets ahead of time, and help everyone steer clear of such traps.
Be VERY careful interacting with unverified @merkl_xyz campaigns.
A bad actor is creating triple digit APR incentives on Sonic for depositing USDC into an Euler vault, and drains all deposits. This is how it works:
Because Euler is permissionless, the attacker was able to deploy a 'fake' market using scUSD as collateral and USDC as debt. The market has a 1$ deposit cap for scUSD - fully taken by the bad actor. The scUSD oracle price is set to $1M per token, allowing the attacker to borrow 700,000 USDC against a single scUSD (at 70% LTV). The attacker controls the oracle and can raise the price further to extract more funds if needed.
Next, the attacker created an unverified, fake campaign on Merkl to attract deposits. Any USDC deposited to this market is borrowed, swapped into ETH, and transferred to @RAILGUN_Project.
Current losses: roughly $145,000, and growing.
As the attacker is not actively monitoring the vault for new deposits, it allowed 0xc0f8feab321f8ffe97666768451747d16da8cad5, a victim who previously deposited USDC into this vault, to withdraw USDC before the attacker managed to borrow it.
While we don't think @merkl_xyz or @eulerfinance are at fault here, as they both clearly flag the campaign/market as unverified, @merkl_xyz should likely make depositing into an unverified campaign much more annoying with more pop-up warnings, just to prevent this from happening in the future.
Main operator: 0x8ba913e764c5cc9b22ee63737841059ad9caac5f
Final receiver before railgun: 0xa86399e78fb3d9fb5be053825a016e32d390fc12
The list of victims can be found here:
Campaign (SCAM, don't deposit):
Euler Market (SCAM, don't deposit):
cc @zachxbt
4,22 tis.
19
Obsah na této stránce poskytují třetí strany. Není-li uvedeno jinak, společnost OKX není autorem těchto informací a nenárokuje si u těchto materiálů žádná autorská práva. Obsah je poskytován pouze pro informativní účely a nevyjadřuje názory společnosti OKX. Nejedná se o doporučení jakéhokoli druhu a nemělo by být považováno za investiční poradenství ani nabádání k nákupu nebo prodeji digitálních aktiv. Tam, kde se k poskytování souhrnů a dalších informací používá generativní AI, může být vygenerovaný obsah nepřesný nebo nekonzistentní. Další podrobnosti a informace naleznete v připojeném článku. Společnost OKX neodpovídá za obsah, jehož hostitelem jsou externí weby. Držená digitální aktiva, včetně stablecoinů a tokenů NFT, zahrnují vysokou míru rizika a mohou značně kolísat. Měli byste pečlivě zvážit, zde je pro vás obchodování s digitálními aktivy nebo jejich držení vhodné z hlediska vaší finanční situace.