Loading prices…
🩸BEARISH

Summer.fi halts Lazy Summer vaults after $6M flash-loan exploit

The $6M loss is a third of the protocol's TVL; the accounting-logic flaw and the unpaused window before guardians acted will get equal scrutiny from audit shops and depositors.

Summer.fi halts Lazy Summer vaults after $6M flash-loan exploit
Summer.fi halts Lazy Summer vaults after $6M flash-loan exploit
Summer.fi halts Lazy Summer vaults after $6M flash-loan exploit
Summer.fi halts Lazy Summer vaults after $6M flash-loan exploit

Decentralized finance protocol Summer.fi paused its Lazy Summer vaults after an exploit drained roughly $6 million from the Ethereum-based yield platform. The protocol had about $22 million in total value locked before the attack, per DeFiLlama, meaning the loss represents close to a third of all deposited assets.

The attacker used a large flash loan, reportedly sourced through Morpho, to manipulate the accounting logic of Lazy Summer's automated USDC vaults. By inflating reported total assets, the exploiter was able to redeem against the inflated figure for a net profit. Stolen funds were converted to DAI on Curve before being moved to the attacker's wallet, per on-chain analysis.

Blockchain security firm Blockaid first flagged the suspicious activity, with PeckShield and CertiK also reporting the incident. Summer.fi confirmed the investigation and said protocol guardians had paused affected vaults to halt further losses. DeFi researcher Bhari traced the flaw to a code defect that allowed the accounting override to succeed.

Why it matters

Lazy Summer is an automated yield router that deposits user funds across lending markets including Aave and Morpho, rebalancing positions on behalf of depositors to chase higher returns. A flash-loan attack that exploits accounting rather than outright price oracle manipulation is among the harder failure modes to model, because it requires the attacker's capital to be transient but the inflated state to persist long enough for redemption. The fact that the protocol carried $22M in TVL into a flaw of this shape will weigh on the broader yield-aggregator category, where depositors largely underwrite code they do not read.

Market impact

Summer.fi's SUMR token fell more than 18% after the exploit surfaced, pricing in the immediate reputational and treasury impact. Comparable yield-router incidents, including the 2023 Euler Finance hack and the 2024 phishing-driven approvals on multiple aggregators, were followed by weeks of withdrawal pressure and partial recovery once post-mortems and remediation plans went public.

Related tokens
$ETH

Frequently asked questions

  1. What happened in the Summer.fi Lazy Summer exploit?

    An attacker used a flash loan, reportedly sourced through Morpho, to manipulate the accounting logic of Lazy Summer's automated USDC vaults. By inflating reported total assets, the exploiter redeemed against the inflated figure for roughly $6M in profit.

  2. How much was lost and what was the protocol's size?

    About $6 million was drained from the protocol, which carried roughly $22 million in total value locked before the attack, per DeFiLlama. The loss represents close to a third of deposited assets.

  3. Which security firms reported the incident?

    Blockchain security firm Blockaid first flagged the suspicious activity. PeckShield and CertiK also reported the incident. Summer.fi confirmed it was investigating and said protocol guardians paused the affected vaults.

  4. What happened to the Summer.fi SUMR token?

    SUMR fell more than 18% after the exploit was uncovered, pricing in the immediate reputational and treasury impact of the incident.

  5. How were the stolen funds moved after the exploit?

    On-chain analysis shows the stolen funds were converted to DAI on Curve before being transferred to the attacker's wallet, complicating recovery efforts.

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 7h ago
Open original →