Summer.fi Halts Lazy Summer Vaults After $6 Million Exploit Linked to Blockaid
Image: The Block

Summer.fi Halts Lazy Summer Vaults After $6 Million Exploit Linked to Blockaid

06 July, 2026.Crypto.11 sources

Key Takeaways

  • Summer.fi halted Lazy Summer vaults after a $6 million exploit.
  • The attack used a $65.4M flash loan to manipulate USDC vault accounting.
  • Security firms Blockaid flagged the exploit; CertiK reported suspicious activity.

$6M exploit triggers pause

DeFi yield platform Summer.fi halted its Lazy Summer vaults after an exploit that drained about $6 million, with the project and blockchain security firms linking the incident to suspicious activity flagged by Blockaid.

Summer.fi said the protocol guardians were pausing all Vaults across the Lazy Summer Protocol, and the project’s July 6, 2026 post on X stated: "We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol."

Image from @coindesk
@coindesk@coindesk

CertiK said the attacker used a $65.4 million flash loan to temporarily increase the protocol’s funds and initiate a withdrawal of about $70.9 million, with the profit amounting to approximately $6 million that went to the hacker.

CoinDesk reported that Lazy Summer routes deposits across lending markets such as Aave and Morpho, and that early analyses suggested the attacker leveraged a large flash loan attack to manipulate the accounting logic of Lazy Summer's automated USDC vaults.

The protocol had $22 million in total value locked before the exploit, according to DeFiLlamadata, and Summer.fi’s SUMR token lost more than 18% of its value after the exploit was uncovered.

How the attack worked

Blockchain security firm Blockaid said its exploit detection system identified an active attack on Summer.fi, and Blockaid posted: "~$6M drained so far," while tagging Summer.fi in its warning.

CertiK Alert described the mechanics as accounting manipulation, saying the attacker was able to redeem $70.9M following a $64.8M deposit thanks to manipulation of FleetCommander's accounting of totalAssets() on a host of vaults.

Image from Bitcoin Foundation
Bitcoin FoundationBitcoin Foundation

The Block reported that CertiK said the attacker used a $65.4 million flash loan to attain a $70.9 million redemption by manipulating smart contracts on Summer.fi’s Lazy Summer Protocol, while The Block noted Summer.fi had not yet confirmed the exploit on official channels.

In a preliminary analysis cited by incrypted, Phylax Systems founder Odysseas Lamtsidis suggested the root cause was manipulation of the protocol’s accounting mechanisms rather than a compromise of private keys or admin privileges.

incrypted also said the attacker swapped the resulting excess USDC via Curve and sent more than 6 million DAI to the attacker’s address, and that the exploit contract is unverified so the exact attack logic is still unknown.

What comes next for users

Summer.fi said it was investigating the root cause after the July 6, 2026 exploit, and the project’s statement emphasized that protocol guardians were pausing all Vaults across the Lazy Summer Protocol to prevent additional losses.

On Monday, July 6, 2026, the DeFi protocol Summer Finance suffered a sophisticated attack using flash loans and price manipulation, resulting in estimated losses of $6 million

Bitcoin NewsBitcoin News

CoinDesk reported that stolen funds were apparently converted to DAI on Curve before being transferred to the attacker's wallet, and it said the incident was first flagged by Blockaid with PeckShield and CertiK also reporting suspicious activity.

Crypto Briefing said Blockaid identified three affected contracts on Ethereum, listing 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17, 0xA9ca4909700505585B1aD2a1579dA3b670FFA9c4, and 0xE9cDA459bED6dcfb8AC61CD8cE08E2D52370cB06.

Crypto Briefing also said the exploiter’s address, 0x7BF716167B48CF527725722C6d79494b45B3BDCa, and an example transaction hash, 0x0db528c44f23fc7fa4544684a2fab81096450a14aae8bc89f42cd0592d43da12, were published so independent researchers could trace fund flows.

Meanwhile, ForkLog reported that CertiK said the manipulation affected the asset accounting system in Lazy Summer, which automatically redistributes user deposits among lending platforms, making the pause and patching of the vault logic central to what happens next.

More on Crypto