DeFi Protocol Summer.fi Halts Lazy Summer Vaults After $6M Exploit

Decentralized finance protocol Summer.fi has paused its Lazy Summer vaults after an exploit that drained around $6 million from the Ethereum-based performance platform, according to the project and several blockchain security firms.

Lazy Summer is an automated yield platform that directs deposits through credit markets like Aave and Morpho in search of higher returns while handling rebalancing on behalf of users.

The incident was first reported by blockchain security company Blockaid, with PeckShield and CertiK also reporting suspicious activity. Summer.fi later confirmed that it was investigating the attack and said that protocol guardians had paused the affected vaults to prevent additional losses.

The first analyzes suggest that the attacker took advantage a large flash loan attack, allegedly obtained through Morpho, to manipulate the accounting logic of Lazy Summer’s automated USDC vaults.

DeFi security researcher Bhari noted that the exploit took advantage of a flaw in the code to inflate total assets, which were then allowed to be redeemed for a net profit. The stolen funds were apparently converted to DAI on Curve before being transferred to the attacker’s wallet.

The protocol had a total locked value of $22 million before the exploit, according to data from DeFiLlama. The protocol’s SUMR token lost more than 18% of its value after the exploit was discovered.

Leave a Comment

Your email address will not be published. Required fields are marked *