Summer.fi Hit by Suspected $6M Flash Loan Exploit
The DeFi platform Summer.fi has been hit by a suspected $6M flash loan exploit. On June 15, 2023, blockchain security firms Blockaid and CertiK identified a flash loan exploit on Summer.fi's Lazy Summer Protocol. The attacker sourced a $65.4 million flash loan from Morpho, which was then used to manipulate vault liquidity and share prices.
The exploit targeted one of Summer.fi's ERC-4626-style vaults, known as LazyVault_LowerRisk_USDC. By making large deposits and withdrawals within a single atomic transaction, the exploiter distorted the vault's share accounting and extracted approximately $6 million before repaying the flash loan.
The attack leveraged a known ERC-4626 tokenized vault vulnerability involving share inflation through token donations. This is not an isolated incident, as similar attacks have been observed in DeFi protocols such as Yearn Finance on Aave. The exploit monitoring platform Phalcon and security firm PeckShield independently confirmed the attack.
The Summer.fi team has yet to release a statement regarding the incident. Blockaid alerted users in real-time through its threat detection network, warning them of the potential risks associated with the affected vault. Initial reports indicate that no external user funds were at risk, as the exploit was limited to the affected vault's mechanics.




