Summer.fi reveals months-long preparation behind $6M DeFi exploit

ambcrypto2026-07-07 tarihinde yayınlandı2026-07-07 tarihinde güncellendi

Özet

Summer.fi has detailed a $6.04 million exploit against its Lazy Summer Protocol USDC vaults, concluding it was a planned attack executed on July 6 after roughly three months of preparation. The root cause was an operational issue during the offboarding of an old strategy, not a smart contract bug. The attacker manipulated the net asset value (NAV) of two USDC vaults by donating stale-valued Silo vault tokens into an Ark that, despite being capped during offboarding, was still included in NAV calculations. This artificially inflated the vaults' share prices, allowing the attacker to redeem shares and withdraw $6.04 million. Losses were split between the Lower Risk Vault (~$5.64M) and the Higher Risk Vault (~$400k). Summer.fi emphasized the exploit did not involve compromised keys or a coding flaw. It also clarified the attack was not a simple flash loan exploit; flash loans only provided final transaction liquidity, while the attacker had accumulated the necessary assets months in advance. All protocol vaults are currently paused. Governance must now decide on compensation for affected users and when unaffected vaults can safely resume operations.

Summer.fi has published a detailed post-mortem on the $6.04 million exploit that drained two of its Lazy Summer Protocol USDC vaults. It concludes that the attack was planned months in advance rather than being an opportunistic flash loan exploit.

The report says the attacker spent roughly three months accumulating the assets needed to manipulate the protocol. The exploit was executed in a single atomic transaction on July 6.

It also argues that the root cause was an operational issue during the offboarding of an old strategy rather than a flaw in the protocol’s smart contracts.

Attack exploited incomplete offboarding process

According to the post-mortem, the attacker manipulated the net asset value [NAV] of two USDC vaults. Stale-valued Silo vault tokens were donated into an Ark that had been capped during an offboarding process. However, the Ark remained included in the vault’s NAV calculations.

That artificially inflated the vault’s share price, allowing the attacker to redeem shares at an inflated value. The attacker then withdrew approximately $6.04 million in USDC from the protocol’s liquid positions.

The losses were split between the Lower Risk USDC Vault, which lost about $5.64 million, and the Higher Risk USDC Vault, which lost roughly $400,000.

Summer.fi stressed that the exploit was not caused by compromised private keys, administrative privileges, or a coding bug. Instead, it said the affected contracts behaved as designed.

Still, an impaired Ark remained active in the vault’s accounting after its deposit cap had been set to zero.

Preparation began months before the exploit

The report also challenges the early narrative that the exploit was simply a flash loan attack.

Summer.fi said blockchain evidence indicates the attacker funded multiple wallets around three months before the incident. The attacker then gradually accumulated stale-valued Silo vault tokens, which were later used to inflate the vaults’ NAV.

The flash loans primarily provided temporary liquidity for the final transaction rather than creating the vulnerability itself.

The protocol also addressed a widely shared screenshot showing an annual percentage yield of roughly 2.08 million%. It explains that the figure resulted from a one-block spike in the vault’s reported NAV and did not represent actual investment returns.

Protocol paused as governance weighs next steps

Following the exploit, all Lazy Summer Protocol vaults were paused, and deposit caps were reduced to zero while the incident was investigated.

The report said governance must now decide how to handle the affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.


Final Summary

  • Summer.fi said the $6.04 million exploit was planned over several months and stemmed from an incomplete vault offboarding process.
  • The protocol has paused all vaults while governance considers compensation, remediation, and the safe reopening of unaffected markets.

İlgili Sorular

QWhat was the root cause of the $6.04 million exploit on Summer.fi's Lazy Summer Protocol?

AThe root cause was an operational issue during the offboarding of an old strategy, not a flaw in the smart contracts. Specifically, an Ark that had been capped during offboarding remained included in the vault's NAV calculations, allowing its stale-valued tokens to be used to artificially inflate the share price.

QHow long did the attacker prepare for the exploit, and how does this challenge the initial narrative?

AThe attacker spent roughly three months preparing by funding wallets and accumulating stale-valued Silo vault tokens. This challenges the initial narrative that it was a simple flash loan attack, as the flash loans only provided temporary liquidity for the final transaction rather than creating the vulnerability.

QWhat specific vulnerability did the attacker exploit in the vaults' mechanics?

AThe attacker exploited an incomplete offboarding process. They donated stale-valued Silo vault tokens into an Ark that had been capped (deposit cap set to zero) but was still active in the vault's Net Asset Value (NAV) calculations. This artificially inflated the vault's share price, allowing the attacker to redeem shares at an inflated value.

QWhat were the financial losses from the exploit, and how were they distributed?

AThe total loss was approximately $6.04 million in USDC. The Lower Risk USDC Vault lost about $5.64 million, and the Higher Risk USDC Vault lost roughly $400,000.

QWhat actions did Summer.fi take immediately after the exploit, and what are the next steps?

AImmediately after the exploit, Summer.fi paused all Lazy Summer Protocol vaults and reduced deposit caps to zero. The next steps are up to governance, which must decide how to handle the affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.

İlgili Okumalar

Ondo, the Leader in RWA Tokenization, is Entering the Perp DEX Arena

Ondo Finance, the dominant player in the real-world asset (RWA) tokenization space, is entering the perpetual futures (Perp) DEX arena with the launch of "Ondo Perps." This move signifies a strategic pivot from primarily being an asset issuer to becoming a comprehensive trading infrastructure provider. The platform uniquely focuses on tokenized traditional assets like stocks, indices (e.g., US 500), and commodities (gold, silver, oil), offering up to 20x leverage for 24/7 trading. A key differentiator is its planned multi-asset collateral system, which will allow users to employ tokenized stocks and bonds as margin, enabling sophisticated portfolio hedging and strategies. This approach leverages Ondo's existing strengths—deep institutional relationships, regulatory approvals, and a vast library of tokenized assets—to create a bridge between traditional finance liquidity and decentralized, permissionless trading. By integrating its asset issuance (Ondo Global Markets) with a proprietary trading venue, Ondo aims to complete the RWA financialization loop, transforming tokenized holdings from passive investments into productive capital for leverage and complex financial engineering. The launch positions Ondo Perps not just as another derivatives exchange, but as a foundational piece of next-generation infrastructure merging TradFi assets with DeFi-native execution.

Foresight News4 saat önce

Ondo, the Leader in RWA Tokenization, is Entering the Perp DEX Arena

Foresight News4 saat önce

İşlemler

Spot
活动图片