Overview
- Blockaid first flagged an active drain and estimated roughly $6 million was taken from Summer.fi’s Lazy Summer vaults on Monday, July 6, giving researchers the exploiter address and transaction hashes to begin tracing.
- Protocol guardians paused all affected Lazy Summer vaults and set deposit caps to zero to stop further outflows while Summer.fi and outside firms investigate the breach.
- Multiple security firms including CertiK and Cyvers say the attacker used a large flash loan to distort share/accounting logic (totalAssets()/share) and redeem inflated vault value, with CertiK reporting a roughly $65 million flash loan that enabled $70.9 million in redemptions.
- On-chain traces show the stolen USDC was swapped into DAI through Curve and moved to an attacker-controlled wallet that has been published, but recovery depends on where the funds travel next and whether custodial services intervene.
- Summer.fi’s postmortem published after the exploit says the attack involved months of preparation and exploited an incomplete offboarding process that left stale assets in NAV calculations, and governance must now decide on compensation and when to reopen vaults.