Lazy Summer's Not-So-Lazy Summer: Vault Math Gets $6M Reread by Prepared Attacker 💼
Back to feed

Lazy Summer's Not-So-Lazy Summer: Vault Math Gets $6M Reread by Prepared Attacker 💼

DeFi protocol Summer.fi confirmed that roughly $6.04 million was drained from two of its Lazy Summer Protocol USDC vaults in a single atomic transaction on July 6, after an attacker spent about three months accumulating assets needed to manipulate the vaults' net asset value. The post-mortem, published by the team this week, attributes the loss to an operational issue during the offboarding of an old strategy rather than a flaw in the protocol's smart contracts, and stresses that no private keys, admin privileges, or code were compromised. The Lower Risk USDC Vault lost about $5.64 million, while the Higher Risk USDC Vault lost roughly $400,000, with funds withdrawn in USDC from the protocol's liquid positions.

According to the report, the attacker donated stale-valued Silo vault tokens into an Ark that had been capped during offboarding but remained included in vault NAV calculations, artificially inflating share prices and allowing redemption at inflated values. Summer.fi pushed back against early reporting that framed the incident as a flash loan attack, stating that blockchain evidence shows wallets were funded around three months prior and that flash loans mainly provided temporary liquidity for the final transaction. Security firms Blockaid and CertiK also identified the incident, with Blockaid publishing the exploiter address 0x7BF716167B48CF527725722C6d79494b45B3BDCa, the exploit contract 0x0514F827C129C16418a0933E03C99A6AF982FC61, and affected Lazy Summer contracts 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17, 0xA9ca4909700505585B1aD2a1579dA3b670FFA9c4, and 0xE9cDA459bED6dcfb8AC61CD8cE08E2D52370cB06, while PeckShield identified the main affected vault as LazyVault_LowerRisk_USDC (LVUSDC), risk-managed by Block Analitica.

The protocol also addressed a widely shared screenshot showing an annual percentage yield of about 2.08 million%, explaining that the figure stemmed from a one-block spike in the vault's reported NAV and did not reflect actual returns. PeckShield noted that the largest current holder of the vault, address 0x8741e8f…4130, appears associated with Torben Jorgensen (UDHC) and had deposited roughly 8.6 million USDC. Following the exploit, all Lazy Summer Protocol vaults were paused and deposit caps were reduced to zero while the incident was investigated, and governance must now decide on handling the affected vaults, potential user compensation, and when unaffected vaults can safely resume operations.

Summer.fi, formerly known as Oasis.app, operates the front-end for the Lazy Summer Protocol, an onchain vault system that routes deposits across DeFi yield sources including Aave, Morpho, and Fluid. The network's native token, SUMR, traded near $0.00193, down 5.3% over 24 hours, diverging from a broader market that rose more than 1% on the day. The incident marked the second crypto exploit recorded in July, according to DeFiLlama, and follows June, when crypto platforms lost $75.87 million across 40 hacks, with the Humanity Protocol breach accounting for the largest single loss.

Mentioned Coins

$USDC
Share:
Publishercryptonewsroom.xyz
Published—
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.