DeFi vault platform Summer Finance was drained of roughly $6 million on Monday in an exploit that security firm Blockaid said its detection system flagged as it was unfolding. Blockaid posted the exploit transaction, the attacker’s address and the affected Lazy Summer contracts within minutes of…
DeFi vault platform Summer Finance was drained of roughly $6 million on Monday in an exploit that security firm Blockaid said its detection system flagged as it was unfolding. Blockaid posted the exploit transaction, the attacker’s address and the affected Lazy Summer contracts within minutes of its initial alert, and PeckShield separately confirmed the $6 million loss in DAI.
“We are aware of the reported exploit a little earlier today and are investigating the root cause,” Summer Finance said in an X post at 4:42 a.m. Easter Time, its latest update at press time. “The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.”
Summer Finance, known as SummerFi, is a DeFi yield-aggregation and automated vault-management platform with about $25 million of Total Value Locked, according to DeFiLlama. Blockchain analytics firm Onchain Lens, relayed by WuBlockchain, said the attacker took out a 64.8 million USDC flash loan to exploit the protocol by abusing parent vault Fleet Commander’s trust in its underlying Ark strategy contract.
The maneuver artificially inflated the Ark’s reported assets to about $7.14 million, letting the attacker redeem roughly 71 million USDC before repaying the flash loan and pocketing the difference. Security firm CertiK put the flash loan size at $65.4 million and estimated the attacker’s profit at about $6 million, a figure consistent with Blockaid’s and PeckShield’s tallies.
Independent researcher analysis found the exploit relied on legitimate protocol functions, including deposit, redeem and withdrawFromArks calls, rather than compromised keys or admin access. The researcher described the root cause as an accounting vulnerability exploitable within a single transaction.
The attack targeted how Summer Finance’s Fleet Commander vault architecture priced assets held in its Ark strategy modules, allowing a single flash-loaned transaction to inflate reported holdings and extract funds before repayment. Summer Finance had not issued its own public statement on the incident as of publication.

