Key facts
- A flash loan exploit targeted Summer.fi's Lazy Summer Protocol.
- The attacker obtained a $65.4 million flash loan from Morpho.
- Approximately $6 million was stolen, primarily in DAI.
- The exploit manipulated vault share accounting.
- The vulnerability exploited was related to ERC-4626 tokenized vaults.
- Initial reports suggest external user funds were not at risk.
Earlier today, blockchain security firms Blockaid and CertiK identified a flash loan exploit targeting Summer.fi's Lazy Summer Protocol. The attacker utilized a $65.4 million flash loan sourced from Morpho to manipulate the accounting of vault shares, ultimately extracting approximately $6 million, predominantly in DAI, within a single atomic transaction.
The exploit targeted a specific ERC-4626-style vault, LazyVault_LowerRisk_USDC. The attacker's wallet, which had received funds two months prior, routed the flash loan through Curve, Uniswap, and Balancer to distort vault liquidity and share prices. By making large deposits and withdrawals simultaneously, the exploiter inflated the vault's share accounting before repaying the loan.
This attack vector, leveraging a known vulnerability in tokenized vaults related to share inflation through token donations, has been observed in previous DeFi incidents, such as the Yearn Finance exploit on Aave. Security firms PeckShield and Phalcon also confirmed the incident.
Summer.fi had not issued an official statement at the time of the initial alert. Blockaid alerted users in real-time. CertiK reported the attacker profited around $6 million through liquidity manipulation. Initial reports indicated that the exploit was confined to the affected vault's mechanics, and no external user funds were at risk. The incident highlights the persistent risks associated with flash loan attacks in DeFi, which require no upfront collateral and automatically revert failed attempts.