News

Summer Finance Pauses Vaults After $65.4M Flash Loan Attack Triggers $6M Loss

A $65.4M flash loan drained $6M from Summer.fi's Lazy Summer vaults on July 6 after an attacker broke the Fleet Commander contract's accounting logic.

Summer Finance Pauses Vaults After $65.4M Flash Loan Attack Triggers $6M Loss

Attack Mechanics

The exploit followed a three-step path. The attacker first sourced a $65.4M flash loan — per CertiK's analysis, reportedly routed through Morpho — and deposited approximately $64.8M into Lazy Summer's automated USDC vaults. The Fleet Commander contract's asset valuation logic was then manipulated to inflate total assets on the ledger; CertiK attributes the root cause to this specific accounting flaw. In the final step, the attacker redeemed $70.9M through the skewed ledger, netting $6M in profit. The proceeds were swapped to DAI via Curve and consolidated in an attacker-controlled wallet to break the on-chain trail. Blockaid flagged the activity first; PeckShield and CertiK confirmed it shortly after. DeFiLlama recorded $22M in protocol TVL at the time of the exploit.

Depositor Checklist

1. Revoke approvals on every Lazy Summer vault contract through a token approval checker. Allowances outlive the vault pause and remain a persistent attack vector if the contract is redeployed without a fix.

2. Withdraw from hot wallets. The pause halts front-end deposits and redemptions but does not alter contract state. Until Summer.fi publishes the post-mortem, treat any balance routed through these addresses as exposed.

3. Verify communications through Summer.fi's official channels only. Disclosures of this scale trigger a predictable wave of phishing DMs, airdrop scams, and "compensation" threads within 24–48 hours.

4. Suspend SUMR interaction. The 18% price collapse reflects market reaction, not risk resolution. Trading before a confirmed patch exposes users to liquidity fragmentation and governance-driven volatility.

Risk Classification

This is not an oracle failure or a reentrancy exploit. The break sits in the accounting invariant — total assets held versus total assets reported — which survives standard review when auditors focus on input validation rather than state-transition invariants under adversarial sequencing. Lazy Summer routes deposits across Aave and Morpho for yield; the integration stack added complexity without adding the accounting checks that would have flagged this manipulation.

Verdict: Do not deposit into any Lazy Summer vault until the Fleet Commander contract is redeployed or audited against the disclosed accounting flaw, and until Summer.fi publishes a full post-mortem. The current pause is containment, not remediation.