Web3 security platform Blockaid reported an ongoing exploit targeting DeFi platform Summer.fi, with approximately $6 million in assets drained so far.
According to Blockaid, the attack affected the platform’s Lazy Summer smart contracts. Security researchers said a wallet funded through FixedFloat on the Base network initiated a suspicious transaction on Ethereum.
Preliminary analysis indicates the attacker exploited a vulnerability in the vault’s share accounting mechanism by manipulating asset prices. The stolen funds were subsequently converted into DAI and transferred to an address controlled by the attacker.
Blockchain security firm PeckShield identified the primary affected vault as LazyVault_LowerRisk_USDC (LVUSDC), which is managed by Block Analitica. During the incident, the vault’s displayed annual percentage yield (APY) briefly surged to around 2.08 million, reflecting the abnormal state of the protocol. PeckShield also noted that one of the vault’s largest holders, a wallet believed to be associated with Torben Jorgensen (UDHC), had deposited roughly 8.6 million USDC into the affected vault.
Separately, CertiK pointed to a suspicious transaction consistent with a flash loan attack. According to the firm’s analysis, the attacker obtained a flash loan worth approximately $65.4 million and used the borrowed funds to manipulate liquidity across Curve’s DAI/USDC pools and Morpho V2 vaults. The exploit is believed to have abused the vault deallocation mechanism, enabling the attacker to manipulate share accounting before extracting $6 million in profit. The flash loan was repaid within the same blockchain transaction, meaning the attacker did not need to commit their own capital beyond transaction fees.
Flash loan attacks remain difficult to prevent because they allow large amounts of capital to be borrowed and repaid within a single transaction, making it possible to temporarily distort liquidity or pricing conditions without long-term financial exposure.
Summer.fi provides yield aggregation and automated vault management services, offering institutional-focused infrastructure for DeFi users. It enables users to borrow stablecoins, manage leveraged positions, and earn yield through integrations with multiple DeFi protocols. The project had not publicly commented on the incident at the time of publication.
The post Summer.fi Suffers $6M DeFi Exploit After Alleged Flash Loan Manipulates Vault Accounting appeared first on Metaverse Post.


