Summer.fi Loses $6M in Flash Loan Attack on DeFi Vault

ETH0.17%
CRV-0.19%
MORPHO-3.91%

Summer.fi, a DeFi yield aggregation platform, lost approximately $6 million on July 06 in a suspected flash loan attack targeting its Lazy Summer smart contracts, according to Web3 security platform Blockaid. The exploit occurred after a wallet funded through FixedFloat on the Base network initiated a suspicious transaction on Ethereum, manipulating the vault's share accounting mechanism by exploiting asset price vulnerabilities. Flash loan attacks enable attackers to borrow large amounts of capital and repay within a single blockchain transaction, allowing temporary distortion of liquidity or pricing conditions without requiring long-term financial exposure beyond transaction fees.

Blockaid and PeckShield Identify Vault Accounting Manipulation

Blockaid's exploit detection system identified the ongoing attack, reporting that preliminary analysis indicates the attacker exploited a vulnerability in the vault's share accounting mechanism by manipulating asset prices. The stolen funds were subsequently converted into DAI and transferred to an address controlled by the attacker.

Blockchain security firm PeckShield identified the primary affected vault as LazyVault_LowerRisk_USDC (LVUSDC), which is managed by Block Analitica. During the incident, the vault's displayed annual percentage yield (APY) briefly surged to around 2.08 million, reflecting the abnormal state of the protocol. PeckShield also noted that one of the vault's largest holders, a wallet believed to be associated with Torben Jorgensen (UDHC), had deposited roughly 8.6 million USDC into the affected vault.

CertiK Traces $65.4 Million Flash Loan Transaction

CertiK pointed to a suspicious transaction consistent with a flash loan attack. According to the firm's analysis, the attacker obtained a flash loan worth approximately $65.4 million and used the borrowed funds to manipulate liquidity across Curve's DAI/USDC pools and Morpho V2 vaults. The exploit is believed to have abused the vault deallocation mechanism, enabling the attacker to manipulate share accounting before extracting $6 million in profit. The flash loan was repaid within the same blockchain transaction, meaning the attacker did not need to commit their own capital beyond transaction fees.

Summer.fi provides yield aggregation and automated vault management services, offering institutional-focused infrastructure for DeFi users. It enables users to borrow stablecoins, manage leveraged positions, and earn yield through integrations with multiple DeFi protocols. The project had not publicly commented on the incident at the time of publication.

FAQ

What happened to Summer.fi on July 06?

Summer.fi lost approximately $6 million in a suspected flash loan attack that exploited a vulnerability in its Lazy Summer smart contracts' vault share accounting mechanism, according to Blockaid.

How did the attacker execute the Summer.fi exploit?

According to CertiK's analysis, the attacker obtained a flash loan worth approximately $65.4 million, used the borrowed funds to manipulate liquidity across Curve's DAI/USDC pools and Morpho V2 vaults, abused the vault deallocation mechanism to manipulate share accounting, extracted $6 million in profit, and repaid the flash loan within the same blockchain transaction.

Which vault was primarily affected in the Summer.fi attack?

PeckShield identified LazyVault_LowerRisk_USDC (LVUSDC), managed by Block Analitica, as the primary affected vault, with its annual percentage yield briefly surging to around 2.08 million during the incident.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments