Connect with us

FINANCE

Summer.fi Halts Lazy Summer Vaults After $6M Flash Loan Exploit

Summer.fi paused its Lazy Summer vaults on July 6 after a Morpho flash loan drained about $6 million via a donation-based ERC-4626 share-inflation exploit.

Published

on

DeFi protocol Summer.fi paused its Lazy Summer vaults on Monday, July 6, 2026, after an attacker drained about $6 million through a single Morpho flash loan. Three independent blockchain security firms, Blockaid, PeckShield, and CertiK, flagged the exploit while funds were still moving, and the protocol’s SUMR governance token slid more than 18% on the news. The exploited vault sat inside about $22 million in total value locked, per DeFiLlama data, putting the drain at a sizable share of the platform on a single transaction.

How the Drain Unfolded

Blockaid’s detection system caught the exploit first, publishing the attacker’s wallet and three affected contract addresses on Ethereum before the dust settled. PeckShield and CertiK corroborated the drain within minutes, and Summer.fi confirmed it was investigating the root cause and pausing its vaults. The protocol’s guardians halted every Lazy Summer vault after the security alert, the project’s X account said.

Inside the same block, the attacker borrowed $65.4 million from Morpho in a flash loan that had to be repaid before the transaction closed. The borrowed USDC and USDT were routed through Curve, Uniswap, and Balancer to mask the trail and manipulate the vault’s pricing. The exploit was not related to compromised private keys or admin privileges, per Phylax Systems founder Odysseas Lamtsidis, who reviewed the on-chain trail. Instead, the attacker leaned on the open accounting logic of Lazy Summer’s VaultV2 components.

The method was a donation-based inflation attack against the ERC-4626 vault standard that DeFi uses to mint and redeem yield-bearing shares. By dropping tokens directly into the vault before redeeming, the attacker distorted the ratio between assets held and shares outstanding, briefly inflating the per-share price. PeckShield reported the vault’s displayed APY spiked to roughly 2,080,000% during the manipulation window. CertiK estimated the attacker redeemed $70.9 million following a $64.8 million deposit, a profit of about $6 million once the flash loan was repaid. The stolen assets were swapped to DAI on Curve and forwarded to a wallet Blockaid had already flagged.

The Vault That Took the Hit

The single vault that lost funds was LazyVault_LowerRisk_USDC, ticker LVUSDC, a strategy positioned as low-risk and rebalanced across lending markets such as Morpho. Risk management for the vault was handled by Block Analitica, a third-party firm that helps DeFi protocols set strategy parameters. The asset sits inside Lazy Summer’s broader architecture, where Keepers automatically rebalance deposits among Aave, Morpho, and other venues in search of higher risk-adjusted returns. Summer.fi markets the wrappers as institutional-grade yield infrastructure for users who don’t want to manage positions themselves.

Before the attack closed, the vault’s displayed APY had spiked to roughly 2,080,000%, a number that briefly replaced any normal yield display. Blockaid’s transaction breakdown pointed at three affected Lazy Summer contracts on Ethereum, two of which had been drained in the attack. Cyvers, another on-chain security firm, traced the attacker’s funding back to FixedFloat on the Base network, an address built up before striking Ethereum. PeckShield’s post-event analysis named one apparent victim: a wallet linked to Torben Jorgensen, the co-founder of Web3 firm UDHC. That address had deposited about 8.6 million USDC into the vault shortly before the attack, leaving the depositor among the hardest-hit users.

  • About $6 million drained from LazyVault_LowerRisk_USDC on July 6, 2026
  • $65.4 million flash loan borrowed from Morpho inside one transaction
  • 2,080,000% brief APY spike during the share-price manipulation
  • More than 18% drop in the SUMR governance token after the alert
  • About $22 million total value locked across chains before the attack

Summer.fi’s 2026 Makeover

Summer.fi began life in 2019 as Oasis.app, a platform built around MakerDAO vaults for managing DAI borrowing positions. It rebranded to Summer.fi around 2023 and broadened its focus beyond MakerDAO into a multi-protocol yield layer that routes deposits through Aave, Morpho, and other venues.

The biggest pivot landed in January 2026 with the launch of the Lazy Summer Protocol and the SUMR governance token. Summer.fi positioned the new vault stack as an AI-powered, non-custodial yield optimization layer aimed at institutional-grade infrastructure. According to the protocol’s own blog posts on vault design, SUMR became transferable that same month as governance shifted from preparation to execution.

Across three chains (Ethereum, Base, and Arbitrum), the protocol currently operates with most of its deposits on Ethereum. Before the exploit, DeFiLlama data put total value locked at $22 million across chains, with one outlet citing a higher figure closer to $34.8 million for a different snapshot. The protocol has had a turbulent year, including withdrawal freezes tied to the USDX depegging event and a near-miss involving rsETH. The team also blocked a malicious governance proposal that tried to exploit outdated access permissions, per the same incident history.

That recent track record helps explain why a drain of this size, modest by the standards of crypto’s largest breaches, lands particularly hard on Summer.fi’s books. The exploit ate up a fifth or more of the protocol’s locked assets on the $22 million TVL baseline.

Why the Same Class of Flaw Keeps Paying

The vulnerability sits inside the ERC-4626 vault standard, the default interface that tokenized yield vaults use to issue and redeem shares against deposited assets. Share price is calculated from the ratio of assets held to shares outstanding, a calculation that breaks if a single actor can change either side cheaply. A donation-based attack exploits that ratio: drop tokens directly into the vault to push the share price up, then redeem at the inflated price.

The pattern is not new. ERC-4626 inflation attacks have surfaced in prior DeFi incidents, with the Yearn Finance flash loan exploit on Aave in an earlier cycle using comparable vault manipulation mechanics, a comparison that keeps surfacing after each new case. PeckShield’s analysis noted that share-inflation attacks sit alongside bridge flaws and admin-key theft as recurring vectors in DeFi. Q2 2026 alone recorded 83 separate exploits across the sector, the highest count on record, with many of the smaller drains clustering around accounting manipulation. For another recent example of how a DeFi exploit can unfold, see how Drift’s $280 million exploit unfolded after a six-month social engineering campaign.

By any measure, the Summer.fi incident adds to a difficult year for the sector. Cumulative DeFi losses from hacks passed $840 million by the start of Q3 2026, per figures cited in coverage of the incident. April accounted for more than $640 million of that total on its own, driven by a small number of large drains. The Summer.fi case sits in the long tail of smaller incidents that pile up at the protocol level. Yearn and other early DeFi protocols pointed to donation-based attacks years ago; the lesson has lagged the rollout.

The Response So Far

Summer.fi’s official X account, @summerfinance_, acknowledged the attack on the same day. The team said protocol guardians had begun pausing all Lazy Summer vaults and that a root-cause investigation was underway. No user compensation plan has been announced at writing, and the protocol has not posted a comprehensive post-mortem.

We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol. We will provide more updates as we have them.

The response pace mirrors how the protocol has handled earlier incidents. Summer.fi walked away from the rsETH near-miss without a public loss statement, then later blocked a malicious governance proposal that tried to exploit stale access permissions. The team’s blog continues to publish governance recaps while the technical work proceeds. Phylax Systems founder Odysseas Lamtsidis, whose preliminary analysis helped shape early public discussion of the exploit, called it an accounting-logic flaw rather than a compromised key.

For comparison, how Gnosis Pay refunded every Zodiac exploit victim after its own June 1 attack shows the range of responses DeFi users have seen this year. At writing, Blockaid’s alert remains the most detailed public technical breakdown of the exploit, and Summer.fi’s investigation was still listed as ongoing by the team’s own X account.

Frequently Asked Questions

What was exploited in Summer.fi’s $6 million hack?

An ERC-4626 share-inflation vulnerability in Summer.fi’s LazyVault_LowerRisk_USDC, ticker LVUSDC. The attacker used a single Morpho flash loan to deposit and withdraw tokens within one transaction, distorted the vault’s share-price math, and walked away with about $6 million in DAI. Blockaid first flagged the attack on July 6; Summer.fi paused all Lazy Summer vaults in response.

How did the attacker profit from a single flash loan?

The attacker borrowed $65.4 million from Morpho in a transaction that had to be repaid within the same block. Borrowing that much USDC and USDT let them manipulate the vault’s share-price ratio by donating tokens and redeeming inflated shares, then swapping the excess into DAI on Curve before the transaction closed. CertiK estimated the redemption at $70.9 million against a $64.8 million deposit, the net working out to roughly $6 million in profit.

Did the SUMR token drop after the Summer.fi exploit?

The SUMR governance token slid more than 18% on the day the exploit was flagged. The token launched as transferable in January 2026, when Summer.fi pivoted to the Lazy Summer Protocol. Holders are not directly reimbursed through SUMR; any compensation would have to come from the protocol.

Why do ERC-4626 share-inflation attacks keep draining DeFi?

ERC-4626 is the standard interface that tokenized vaults across DeFi use to issue and redeem shares against deposited assets. Share price is set by the ratio of assets held to shares outstanding, a calculation that breaks when one actor can change either side cheaply. A donation-based attack exploits that ratio by dropping tokens into the vault and redeeming at an inflated price; defending it requires redesigning share-pricing math rather than relying on per-vault patches, a fix most protocols have not adopted.

Disclaimer: This article is informational only and does not constitute financial, investment, or legal advice. Digital asset markets carry significant risk, including total loss of capital. Past figures cited reflect specific incidents and are not predictive of future outcomes. Always consult a qualified professional before making financial decisions, and verify figures against original sources as data can change rapidly.

As the founder of Thunder Tiger Europe Media, Dr. Elias Thornwood brings over 25 years of experience in international journalism, having reported from conflict zones in the Middle East, Asia, and Africa for outlets like BBC World and Reuters. With a PhD in International Relations from Oxford University, his expertise lies in geopolitical analysis and global diplomacy. Elias has authored two bestselling books on European foreign policy and received the Pulitzer Prize for International Reporting in 2015, establishing his authoritativeness in the field. Committed to trustworthiness, he enforces rigorous fact-checking protocols at Thunder Tiger, ensuring unbiased, evidence-based coverage of worldwide news to empower informed global audiences.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending