Decentralized finance protocol Summer.fi lost about $6 million after an attacker exploited a flash loan vulnerability in its Lazy Summer automated yield vaults on Ethereum, prompting protocol guardians to pause all affected vaults.
The exploit was first flagged by blockchain security firm Blockaid early Monday, with CertiK and PeckShield later confirming the attack. CertiK said the attacker used a $65.4 million flash loan sourced from Morpho to manipulate the accounting logic of FleetCommander, the smart contract managing vault operations, allowing them to inflate total assets and redeem $70.9 million in a single atomic transaction.
"The attacker manipulated FleetCommander's accounting of totalAssets across several vaults, particularly Silo: Varlamore USDC Growth, which the attacker had accumulated beforehand and donated to the Ark in between," CertiK wrote on X. The exploit targeted an ERC-4626 tokenized vault known as LazyVault_LowerRisk_USDC, exploiting a known share inflation vulnerability through token donations. The stolen funds were swapped to DAI on Curve and transferred to the attacker's wallet, identified on-chain as 0x7BF…3BDCa.
Summer.fi confirmed the incident and said protocol guardians had paused affected vaults to prevent additional losses. The protocol had $22 million in total value locked before the exploit, according to DefiLlama data. Its SUMR governance token fell more than 18 percent after the attack was disclosed. The incident adds to a growing pattern of flash loan attacks targeting DeFi yield aggregators, where automated rebalancing across lending markets such as Aave and Morpho creates complex accounting surfaces that can be distorted within a single transaction block.
This article is for informational purposes only and does not constitute investment advice.