HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
← All Stories

Summer.fi Hit By Suspected $6M Flash Loan Exploit

Created at 6 Jul · 11:00 AM1 source↑ Market-relevant
IN SHORT

Blockchain security firms identified a flash loan exploit on Summer.fi's Lazy Summer Protocol, where an attacker used a $65.4 million loan to manipulate vault accounting and steal approximately $6 million, primarily in DAI. The exploit targeted an ERC-4626-style vault, a known vulnerability.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

$65.4 millionflash loan amount
$6 millionestimated profit from exploit

Who's Involved

Summer.fi
DeFi yield vault protocol targeted by exploit
Blockaid
Blockchain security firm that identified the exploit
CertiK
Blockchain security firm that confirmed the exploit
Morpho
Source of the flash loan
0x7BF…3BDCa
Attacker's wallet address
PeckShield
Security firm that confirmed the exploit
Phalcon
Exploit monitoring platform that confirmed the exploit

↳ Why This Matters

This incident underscores the ongoing security challenges within the decentralized finance (DeFi) space, particularly concerning flash loan attacks and tokenized vault vulnerabilities. It raises questions about the robustness of automated yield strategies and the due diligence required even for audited platforms.

Key facts

  • A flash loan exploit targeted Summer.fi's Lazy Summer Protocol.
  • The attacker obtained a $65.4 million flash loan from Morpho.
  • Approximately $6 million was stolen, primarily in DAI.
  • The exploit manipulated vault share accounting.
  • The vulnerability exploited was related to ERC-4626 tokenized vaults.
  • Initial reports suggest external user funds were not at risk.

Earlier today, blockchain security firms Blockaid and CertiK identified a flash loan exploit targeting Summer.fi's Lazy Summer Protocol. The attacker utilized a $65.4 million flash loan sourced from Morpho to manipulate the accounting of vault shares, ultimately extracting approximately $6 million, predominantly in DAI, within a single atomic transaction.

The exploit targeted a specific ERC-4626-style vault, LazyVault_LowerRisk_USDC. The attacker's wallet, which had received funds two months prior, routed the flash loan through Curve, Uniswap, and Balancer to distort vault liquidity and share prices. By making large deposits and withdrawals simultaneously, the exploiter inflated the vault's share accounting before repaying the loan.

This attack vector, leveraging a known vulnerability in tokenized vaults related to share inflation through token donations, has been observed in previous DeFi incidents, such as the Yearn Finance exploit on Aave. Security firms PeckShield and Phalcon also confirmed the incident.

Summer.fi had not issued an official statement at the time of the initial alert. Blockaid alerted users in real-time. CertiK reported the attacker profited around $6 million through liquidity manipulation. Initial reports indicated that the exploit was confined to the affected vault's mechanics, and no external user funds were at risk. The incident highlights the persistent risks associated with flash loan attacks in DeFi, which require no upfront collateral and automatically revert failed attempts.

Frequently asked questions

Summer.fi is a DeFi yield vault protocol that automates the rebalancing of user deposits across various lending markets like Morpho, Fluid, and Aave for optimal returns.

A flash loan exploit involves borrowing a large sum of cryptocurrency without collateral for a single transaction. If the attacker can manipulate a protocol's logic within that transaction to profit, they repay the loan and keep the profit; otherwise, the transaction fails and reverts.

ERC-4626 is a token standard for tokenized vaults in DeFi, designed to simplify the integration of yield-bearing vaults across different protocols. Vulnerabilities in these vaults can be exploited for profit.

Initial reports indicated that no external user funds were at risk, as the exploit was limited to the affected vault's internal mechanics.

What Happens Next

01Summer.fi team to provide findings on mitigation strategy.
02Summer.fi team to conduct outreach efforts.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

A flash loan exploit was identified on Summer.fi's Lazy Summer Protocol.
An attacker used a $65.4 million flash loan from Morpho.
The attacker manipulated vault accounting and extracted approximately $6 million.
The exploit targeted a known ERC-4626 tokenized vault vulnerability.
Security firms confirmed the exploit and profit amount.
Initial reports indicate no external user funds were at risk.

Sources

T1
Just-In: Summer.fi Hit By Suspected $6M Flash Loan Exploit As DeFi Vaults TargetedCoinGape

Related Stories

Stablecoin Transaction Volume Reaches Record $1.79 Trillion in June
6 Jul · 5:50 AM
Belgian regulator flags six unauthorized crypto providers after MiCA deadline
6 Jul · 12:30 PM
Ether Leads Crypto Gains as Bitcoin Holds Above $63,000
6 Jul · 5:15 AM
Bitcoin Recovers Above $62,000 as Altcoin Optimism Grows
6 Jul · 10:50 AM
Vitalik Buterin Outlines 'Lean Ethereum' Roadmap for Major Network Overhaul
6 Jul · 7:50 AM