$6M Summer Finance Heist: Flash Loan Attack Tricks AI-Powered Vault
Summer Finance (Summer.fi) lost $6 million in a flash loan vault exploit on July 6. The attack occurred when an attacker used a $65.4 million flash loan to manipulate the accounting logic of Summer.fi's Lazy Summer Protocol, which uses AI keepers to allocate and rebalance user deposits across multiple lending platforms.
The protocol's Fleet Commander smart contract is responsible for managing its vaults and calculating their values. However, the attacker distorted the totalAssets() function used by this contract to redeem $70.9 million, netting a $6 million profit. The attack was made possible through a second component called the Ark, which connects each vault to an underlying lending protocol.
CertiK and Cyvers, blockchain security firms, separately identified the attack vector as a share accounting vulnerability exploited through price manipulation. After completing the exploit, the attacker converted the stolen funds into DAI stablecoins and moved them to an address under their control.




