Summer.fi was hit by a suspected $6 million flash loan exploit with DeFi vaults being targeted


In a recent development earlier today, Blockaid and CertiK, two blockchain security companies, identified a flash loan vulnerability on Summer.fi (Lazy Summer Protocol). Thanks to a $65.4 million flash loan, obtained from Morpho, the attacker was able to hide about $6 million, most of it in DAI, and change the treasury stock account, all in a single atomic transaction.

How to detect a Summer.fi attack

Lazy Summer Protocol is a yield vault protocol launched by Summer.fi in early 2025 and SUMR is a governance token introduced in January 2026.

The protocol moves user deposits from top DeFi loan markets, such as Morpho, Fluid, and Aave, automating the rebalancing of funds for optimal risk-adjusted returns. This attack now puts the architecture of the automated vault under the microscope, as… DeFi Flash Loan Attacks It drained $500 million, a pattern that is still hitting the protocols in 2026.

The vulnerability is said to have exploited one of Summer.fi’s ERC-4626-style vaults, known as LazyVault_LowerRisk_USDC. The attacker’s wallet, 0x7BF…3BDCa, was seen on-chain, with the wallet receiving funds approximately two months before the attack, showing careful planning.

The attacker obtained a $65.4 million flash loan from Morpho and funneled the funds through Curve, Uniswap, and Balancer to manipulate treasury liquidity and stock prices.

By making large deposits and withdrawals within a single atomic transaction, the exploiter distorted the treasury stock accounting and extracted approximately $6 million before the flash loan was repaid. Since the transaction was atomic, it either committed completely or failed completely.

This vulnerability took advantage of a known vulnerability in the ERC-4626 vault involving the inflation of shares through token donations, a flaw previously observed in several DeFi incidents. The attack was independently confirmed by security firm PeckShield and exploit monitoring platform Phalcon.

the Take advantage of Yearn’s Fast Financing Loan In a previous cycle, Aave used similar vault manipulation mechanisms, underscoring how this attack vector persists across DeFi generations.

Impact, response and what’s next

At the time of writing, Summer.fi has not issued any official statement. At the time of the initial alert of the siege, the attack was said to be continuing. They are urged to monitor situations closely if they are affected by the affected basement.

Blockaid identified the exploit and alerted users in real time through its threat detection network. According to CertiK, the attacker made profits of around $6 million through liquidity manipulation. Initial reports indicated that no external user funds were at risk, as exploitation was limited to affected vault mechanisms.

This incident adds to a growing number of DeFi security breaches in 2026. It remains particularly difficult to defend against flash loan attacks because they do not require upfront collateral, and failed attacks are automatically rolled back.

The extent to which the broader DeFi movement is able to recover, or at all, will depend on the findings of the Summer.fi team regarding a mitigation strategy as well as outreach efforts through a “whale hat” approach. the Best DeFi Lending Platforms In 2026, they still carry the risk of smart contract exploitation, a reminder that due diligence remains critical even on audited platforms.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *