Particle.news

Summer.fi Loses About $6 Million in Flash‑Loan Vault Exploit

A flash loan attack distorted Summer.fi’s vault accounting, converting the proceeds to DAI and leaving a full post‑mortem and recovery uncertain.

Overview

  • Blockaid detected an active exploit and published three affected Ethereum contract addresses, an exploiter wallet and a sample transaction to enable real‑time tracing.
  • Security firms and on‑chain analysts say the attacker used a roughly $65 million flash loan to manipulate FleetCommander vault share accounting (totalAssets()) and redeem inflated value, netting about $6 million.
  • On‑chain tracing shows the attacker swapped the stolen funds into DAI and moved them to an attacker‑controlled address, which complicates recovery unless centralized services intervene.
  • Summer.fi acknowledged the incident and said protocol guardians paused all Lazy Summer vaults while investigators continue work, but the protocol has not released a full technical post‑mortem.
  • The loss underscores broader risks in automated, multi‑protocol vault designs that route capital across Aave, Morpho and Curve and adds to rising DeFi exploit losses seen through 2026.