Skip to content
Est. MMXXVIVol. VI · № 305RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 305Flash Loan Attack

Summer.fi Lazy Summer Vault Accounting Exploit

A flash-loan attacker manipulated share accounting in Summer.fi's Lazy Summer USDC vault, redeeming inflated assets to drain about $6 million on Ethereum.

Date
Victim
Summer.fi
Chain(s)
Status
Funds Stolen

On July 6, 2026, Summer.fi — the front-end for the on-chain yield system known as the Lazy Summer Protocol — was exploited for approximately $6 million after an attacker used a large flash loan to manipulate the share accounting of one of its USDC vaults and redeem far more value than was deposited.

What happened

The Lazy Summer Protocol runs LazyVaults that automatically route deposits across DeFi yield sources such as Aave, Morpho and Curve. The attacker took a flash loan of roughly $65.4 million, primarily in USDC and USDT sourced from Morpho, and cycled it through liquidity venues including Curve to create temporary imbalances. Those imbalances distorted the share-price and deallocation logic of the LazyVault_LowerRisk_USDC vault, letting the attacker artificially inflate the vault's total assets and then redeem shares for far more than they were worth — reportedly securing about a $70.9 million redemption against the borrowed capital, all in a single atomic transaction. The net profit of roughly $6 million was converted to DAI on Curve and moved to an attacker-controlled address; on-chain analysts noted the originating wallet had been funded through FixedFloat on the Base network. Summer.fi held about $22 million in total value locked before the incident.

Aftermath

Security firm Blockaid first flagged the draining transaction, with PeckShield and CertiK also reporting suspicious activity and publishing the attacker address and exploit contract. Summer.fi paused all Lazy Summer Protocol vaults to contain the incident and began investigating the accounting flaw. The protocol's SUMR token fell more than 18% in the hours after the exploit surfaced. As of reporting, the stolen funds had not been recovered, and the incident is classified as an ongoing loss.

Why it matters

Summer.fi is another entry in 2026's dominant DeFi failure mode: vault share-accounting manipulation funded by flash loans. The same primitive — borrow cheaply, distort an internal assets-per-share ratio, then redeem the inflation — drained Bunni through a rounding flaw in its liquidity math and underpinned the ERC-4626 donation attacks on Resupply and Thetanuts. It landed the same week as Edel Finance, another flash-loan-funded vault-pricing exploit, underscoring a blunt lesson for auto-compounding yield routers: an aggregator is only as safe as the weakest accounting assumption in any vault it touches, and share-price math must remain sound even when an attacker can momentarily command tens of millions in borrowed liquidity.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/web3/2026/07/06/defi-protocol-summer-fi-halts-lazy-summer-vaults-after-usd6-million-exploit
  2. [02]theblock.cohttps://www.theblock.co/post/407198/summer-finance-exploited
  3. [03]beincrypto.comhttps://beincrypto.com/summer-fi-exploit-6-million-sumr/
  4. [04]mpost.iohttps://mpost.io/summer-fi-suffers-6m-defi-exploit-after-alleged-flash-loan-manipulates-vault-accounting/

Related filings