Summer.fi pauses Lazy Summer vaults after $6M flash loan exploit
In brief
- Summer.fi paused Lazy Summer vaults following a $6M flash loan exploit that drained user funds.
- Attacker inflated vault accounting via Morpho to redeem assets for profit.
- Blockaid, PeckShield, and CertiK detected the suspicious activity.
- SUMR token declined over 18% after the exploit disclosure.
The Attack
Blockchain security firm Blockaid first flagged the incident, with PeckShield and CertiK also reporting suspicious activity. Summer.fi protocol guardians paused affected vaults to prevent additional losses once the attack was confirmed.
Early analyses reveal the attacker used a large flash loan, reportedly sourced through Morpho, to manipulate the accounting logic of Lazy Summer's automated USDC vaults. The exploit hinged on a code flaw that allowed the attacker to artificially inflate the platform's total asset count.
"The exploit took advantage of a flaw in the code to inflate total assets, which they were then allowed to redeem for a net profit," DeFi security researcher Bhari noted.
Aftermath
The stolen funds were converted to DAI on Curve before being transferred to the attacker's wallet. Summer.fi had $22 million in total value locked before the exploit struck, meaning the attack drained roughly 27% of the protocol's assets.
The market reacted swiftly. The protocol's SUMR token lost more than 18% of its value after the exploit became public. This sharp decline reflects investor concern about the platform's security posture and the speed at which the attack unfolded.
Flash loan attacks remain a persistent vulnerability in DeFi. They allow attackers to borrow large sums without collateral, provided the funds are returned within the same transaction. Lazy Summer's reliance on accounting logic to track user balances created an opening that the attacker exploited.


