tradingkey.logo
tradingkey.logo
Search

Exploiters drain $6M in Summer.fi Lazy Summer contract hack

CryptopolitanJul 6, 2026 11:08 AM
facebooktwitterlinkedin
View all comments0

Attackers have drained around $6 million from Summer.fi‘s Lazy Summer protocol on July 6, exploiting a USDC vault whose advertised yield briefly jumped past 2 million percent, according to on-chain security firms Blockaid and PeckShieldAlert.

Blockaid wrote on X that its exploit detection system had identified the exploit when it was ongoing.

The security firm stated then that about $6 million had been “drained so far” while the transactions were still moving.

A follow-up post from Blockaid published the exploit transaction, the attacker’s wallet, the exploit contract, and the list of affected Lazy Summer contracts.

The target was a single vault that PeckShieldAlert identified as LazyVault_LowerRisk_USDC, ticker LVUSDC, a strategy risk-managed by the firm BlockAnalitica.

According to PeckShieldAlert, “LVUSDC’s displayed APY briefly spiked to ~2.08M%,” and added that the largest holder of the vault after the exploit “appears to be associated with Torben Jorgensen.”

How did the Summer.fi attack work?

According to BlockTempo, which cited Blockaid’s timing of 05:17, the attacker ran a donation-based inflation attack against an ERC-4626 vault.

The ERC-4626 standard is the default interface for vaults that issue shares against deposited tokens, and it calculates share price based on the ratio of assets held to shares outstanding.

If an attacker donates a small amount of tokens directly into the vault, they could theoretically distort that ratio and push the price of a single share far above its fair value, then redeem for more than they put in.

BlockTempo reported that the operation was funded by a flash loan taken from Morpho, a loan borrowed and repaid inside one transaction, with the trades routed through Uniswap, Curve, and Balancer.

What is the impact of the exploit on Summer.fi?

The exploited figure is modest by the standards of crypto’s largest breaches, but it is large relative to Summer.fi‘s size.

The protocol has around $34.8 million in total value locked, most of it, and over $32.4 million is on Ethereum, per Defillama data. The $6 million drain is close to a fifth of the platform’s assets, which is substantial.

Summer.fi markets itself as a yield aggregator that lets users “borrow, multiply and earn” across lending venues, with the Lazy Summer vaults routing deposits into strategies built on protocols such as Morpho.

Q2 2026 saw the most attacks on record by incident count, with over 83 separate exploits. That quarter was characterized by many smaller drains, and share-price and accounting manipulations sit alongside bridge flaws and admin-key theft as recurring vectors.

Summer.fi has acknowledged the attack, writing on X, “We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.”

The team states that they will provide more updates as they come.

If you're reading this, you’re already ahead. Stay there with our newsletter.

Disclaimer: The information provided on this website is for educational and informational purposes only and should not be considered financial or investment advice.

Comments (0)

Click the $ button, enter the symbol, and select to link a stock, ETF, or other ticker.

0/500
Commenting Guidelines
Loading...

Recommended Articles

tradingkey.logo
* References, analysis, and trading strategies are provided by the third-party provider, Trading Central, and the point of view is based on the independent assessment and judgement of the analyst, without considering the investment objectives and financial situation of the investors.
Risk Warning: Our Website and Mobile App provides only general information on certain investment products. Finsights does not provide, and the provision of such information must not be construed as Finsights providing, financial advice or recommendation for any investment product.
Investment products are subject to significant investment risks, including the possible loss of the principal amount invested and may not be suitable for everyone. Past performance of investment products is not indicative of their future performance.
Finsights may allow third party advertisers or affiliates to place or deliver advertisements on our Website or Mobile App or any part thereof and may be compensated by them based on your interaction with the advertisements.
© Copyright: FINSIGHTS MEDIA PTE. LTD. All Rights Reserved.