Monday, July 6, 2026

Summer Finance Drained of Approximately $6 Million in Flash Loan Exploit

Neon illustration of a DeFi vault under a flash loan attack with flickering assets and a cyan-blue, purple glow.

Decentralized yield protocol Summer Finance, commonly known as Summer.fi, suffered a roughly $6 million exploit on July 6, 2026, after multiple security firms flagged suspicious on-chain activity tied to its Lazy Summer Protocol. Blockaid said its exploit detection system had identified an ongoing attack against Summer.fi, while Cyvers, CertiK and Phylax-linked analysis later outlined a flash loan-driven accounting manipulation.

 

 

Summer.fi later acknowledged the reported exploit and said protocol guardians were pausing all vaults across the Lazy Summer Protocol while the team investigated the root cause. That response confirmed active mitigation, but it did not yet provide a full post-mortem, reimbursement plan or definitive technical explanation.

Exploit Traced to Vault Accounting Manipulation

CertiK said the attacker used a $65.4 million flash loan to obtain a $70.9 million redemption by manipulating how Summer.fi’s Lazy Summer Protocol accounted for assets in its vaults. The firm specifically pointed to FleetCommander’s totalAssets() accounting across several vaults, including Silo: Varlamore USDC Growth, where assets had allegedly been accumulated and donated to the Ark during the attack sequence.

Phylax Systems founder Odysseas Lamtzidis described the apparent root cause as same-transaction vault and Ark accounting combined with liquidity manipulation, rather than a private-key compromise or admin-role abuse. He also identified the attacker contract 0x0514F827C129C16418a0933E03C99A6AF982FC61 as the only unverified contract in the sequence, while core Summer Finance components involved remained verified.

The on-chain reference transaction most widely circulated for the exploit is 0x0db528c44f23fc7fa4544684a2fab81096450a14aae8bc89f42cd0592d43da12. Etherscan data for that transaction shows interactions from the exploit contract 0x0514F827C129C16418a0933E03C99A6AF982FC61 to Summer-linked contracts, including 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17.

Blockaid and Cyvers Identify Wallets and Fund Movement

Blockaid-linked on-chain reporting identified the exploiter address as 0x7BF716167B48CF527725722C6d79494b45B3BDCa and the exploit contract as 0x0514F827C129C16418a0933E03C99A6AF982FC61. The three affected Summer.fi or Lazy Summer contracts were listed as 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17, 0xA9ca4909700505585B1aD2a1579dA3b670FFA9c4 and 0xE9cDA459bED6dcfb8AC61CD8cE08E2D52370cB06.

Etherscan now labels 0x7BF716167B48CF527725722C6d79494b45B3BDCa as “Summer.fi Exploiter 1,” adding an on-chain verification layer for public tracing. The explorer also references the same exploit transaction hash, giving analysts a direct path to inspect the transaction flow and subsequent address activity.

Cyvers said the attacker appeared to exploit a share-accounting vulnerability through price manipulation, after an address funded via FixedFloat on Base executed a suspicious transaction on Ethereum. The firm also said the stolen funds were converted into DAI and moved to attacker-controlled wallets.

The incident therefore appears to be an accounting and liquidity-assumption failure rather than a privileged-access breach, based on the available security assessments. That distinction matters because the attack did not require control of Summer.fi administrative keys, but instead exploited how the vault system calculated assets and redemptions inside a compressed transaction path.

Several critical details remain unresolved pending Summer.fi’s full incident report. The project has not yet confirmed the final root cause, the complete scope of affected vault positions, the level of user exposure or whether any protocol-level remediation or recovery plan will be implemented.

The exploit is best understood as a high-value flash loan attack against Lazy Summer vault accounting logic. The confirmed on-chain identifiers provide a basis for tracing, while the broader operational impact will depend on Summer.fi’s post-mortem, vault pause outcome and any remediation framework that follows.

Scroll to Top
Chain Report
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.