Lazy Summer? More Like Lazy Security: Summer.fi Vault Drained for $6M
Back to feed

Lazy Summer? More Like Lazy Security: Summer.fi Vault Drained for $6M

Summer.fi has been exploited for approximately $6 million, with on-chain security firms tracing the attack to a single atomic transaction that manipulated vault share accounting. Blockaid's detection system first surfaced the incident on Monday and identified the exploit contract at 0x0514F827C129C16418a0933E03C99A6AF982FC61, the attacker address at 0x7BF716167B48CF527725722C6d79494b45B3BDCa, and three affected Lazy Summer contracts: 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17, 0xA9ca4909700505585B1aD2a1579dA3b670FFA9c4, and 0xE9cDA459bED6dcfb8AC61CD8cE08E2D52370cB06. CertiK also confirmed the attack. The incident occurred on July 6, 2026.

According to on-chain analysis, the attacker sourced a $65.4 million flash loan from Morpho and used it to drain about $6 million, mostly denominated in DAI, from the protocol. The exploit targeted a known ERC-4626-style vulnerability in the LazyVault_LowerRisk_USDC vault, which is risk-managed by Block Analitica and briefly displayed an APY of approximately 2.08 million %. PeckShield noted the vault's largest current holder as 0x8741e8f…4130, an address associated with Torben Jorgensen (UDHC), which had deposited roughly 8.6 million USDC. The attacker wallet had received funds approximately two months prior, indicating pre-planning.

Summer.fi, formerly branded as Oasis.app, operates as the front-end for the Lazy Summer Protocol, an onchain vault system that automatically routes deposits across DeFi yield sources including Aave, Morpho, and Fluid. The protocol introduced the $SUMR governance token in January 2026. At the time of writing, $SUMR traded near $0.00193, down 5.3% over 24 hours, while the broader crypto market rose more than 1% on the day, according to CoinGecko data. Summer.fi has yet to issue an official statement on the exploit.

The attack marks the second crypto exploit recorded in July, per DeFiLlama, and follows a June that saw roughly $75.87 million lost across 40 hacks, with the Humanity Protocol breach accounting for the largest single loss. Blockaid, CertiK, and PeckShield have publicly attributed the exploit to the same vulnerability pattern that contributed to more than $500 million in DeFi flash loan-related losses industry-wide. The investigation remains active.

Mentioned Coins

$DAI$USDC
Share:
Publishercryptonewsroom.xyz
Published
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.