DeFi vault platform Summer Finance was drained of roughly $6 million on Monday in an exploit that security firm Blockaid said its detection system flagged as it was unfolding. Blockaid posted the exploit transaction, the attacker's address and the affected Lazy Summer contracts within minutes of its initial alert, and PeckShield separately confirmed the $6 million loss in DAI.
“We are aware of the reported exploit a little earlier today and are investigating the root cause,” Summer Finance said in an X post at 4:42 a.m. Easter Time, its latest update at press time. “The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.”
Summer Finance, known as SummerFi, is a DeFi yield-aggregation and automated vault-management platform with about $25 million of Total Value Locked, according to DeFiLlama. Blockchain analytics firm Onchain Lens, relayed by WuBlockchain, said the attacker took out a 64.8 million USDC flash loan to exploit the protocol by abusing parent vault Fleet Commander's trust in its underlying Ark strategy contract.
The maneuver artificially inflated the Ark's reported assets to about $7.14 million, letting the attacker redeem roughly 71 million USDC before repaying the flash loan and pocketing the difference. Security firm CertiK put the flash loan size at $65.4 million and estimated the attacker's profit at about $6 million, a figure consistent with Blockaid's and PeckShield's tallies.







