Wednesday, July 8, 2026

Summer.fi Pauses Lazy Summer Vaults After $6M Flash Loan Exploit on Ethereum

Neon illustration of an Ethereum vault with a shadowy attacker, blurred analytics, and Summerfi branding with blue-purple glow.

Decentralized finance platform Summer.fi has halted all vaults under its Lazy Summer protocol after an exploit drained approximately $6 million from its Ethereum deployment. Protocol guardians paused the vaults shortly after on-chain security monitors flagged irregular transaction patterns.

Summer.fi said its development team is investigating the technical root cause of the breach. The pause blocks deposits and withdrawals across Lazy Summer vaults while forensic analysis continues and the team works to isolate the accounting flaw.

Flash Loan Attack Targets Fleet Commander Accounting

Security analysis points to a multi-step flash loan attack involving about $65.4 million. CertiK data shows the attacker deposited roughly $64.8 million into the protocol environment before executing withdrawals worth approximately $70.9 million.

That gap created an estimated net profit of about $6 million. The exploit appears to have targeted asset-accounting logic inside the Fleet Commander contract rather than relying on compromised administrative keys.

Blockaid initially flagged the suspicious transaction activity, while follow-up analysis from PeckShield and CertiK outlined how the flash loan temporarily distorted the protocol’s valuation framework. Summer.fi’s automated yield routing, which allocates user capital across lending venues such as Aave and Morpho, processed the altered metrics as valid.

Transaction records show the extracted capital was quickly swapped into DAI through Curve Finance before moving to an external wallet. Security researchers tracking the flow said the rapid stablecoin conversion appeared designed to complicate tracing and potential recovery.

Vaults Remain Paused Pending Post-Mortem

Before the incident, DeFiLlama data placed Summer.fi’s total value locked at approximately $22 million. After public confirmation of the exploit, the protocol’s SUMR token fell by more than 18% across trading venues.

Independent security analysts have advised users with active smart contract approvals linked to the affected vaults to review and revoke permissions until Summer.fi publishes formal guidance. That recommendation reflects standard caution after vault-related exploits, especially when the exact vulnerability remains under review.

Lazy Summer vault operations remain suspended while developers isolate the accounting flaw. Summer.fi said it will release further technical documentation once the forensic review is complete and a comprehensive post-mortem has been prepared.

For now, the incident highlights the risk of same-transaction accounting manipulation in DeFi yield systems. The final scope of affected users, remediation steps and potential recovery measures will depend on Summer.fi’s full incident report.

Scroll to Top
Chain Report
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.