Overview
- Blockaid detected an active exploit and published three affected Ethereum contract addresses, an exploiter wallet and a sample transaction to enable real‑time tracing.
- Security firms and on‑chain analysts say the attacker used a roughly $65 million flash loan to manipulate FleetCommander vault share accounting (totalAssets()) and redeem inflated value, netting about $6 million.
- On‑chain tracing shows the attacker swapped the stolen funds into DAI and moved them to an attacker‑controlled address, which complicates recovery unless centralized services intervene.
- Summer.fi acknowledged the incident and said protocol guardians paused all Lazy Summer vaults while investigators continue work, but the protocol has not released a full technical post‑mortem.
- The loss underscores broader risks in automated, multi‑protocol vault designs that route capital across Aave, Morpho and Curve and adds to rising DeFi exploit losses seen through 2026.