Just-In: Summer.fi Hit By Suspected $6M Flash Loan Exploit As DeFi Vaults Targeted
Highlights
- An attacker used a $65.4M Morpho flash loan to drain about $6M, mostly in DAI, from Summer.fi's Lazy Summer Protocol.
- The exploit manipulated vault share accounting in a single atomic transaction, targeting a known ERC-4626 vulnerability.
- Blockaid and CertiK confirmed the attack, Summer.fi has yet to issue an official statement as users monitor positions.
In a recent development earlier today, Blockaid and CertiK, blockchain security firms, identified a flash loan exploit on Summer.fi (Lazy Summer Protocol). With a flash loan of $65.4 million, sourced from Morpho, the attacker was able to stash about $6 million, mostly in DAI, and alter the accounting of vault shares all in one atomic transaction.
How the Summer.fi Attack Unfolded
The Lazy Summer Protocol is the yield vault protocol launched by Summer.fi in early 2025 and SUMR is the governance token introduced in January 2026.
The protocol moves user deposits from the top DeFi loan markets, such as Morpho, Fluid, and Aave, automating the rebalancing of funds for optimal risk-adjusted returns. This attack now puts that automated vault architecture under scrutiny, as DeFi Flash Loan Attacks have drained $500M, a pattern still hitting protocols in 2026.
The exploit reportedly exploited one of Summer.fi’s ERC-4626-style vaults, known as LazyVault_LowerRisk_USDC. The attacker’s wallet, 0x7BF…3BDCa, has been seen on-chain, with the wallet receiving funds approximately two months prior to the attack, showing careful planning.
The attacker obtained a $65.4 million flash loan from Morpho and routed the funds through Curve, Uniswap, and Balancer to manipulate vault liquidity and share prices.
By making large deposits and withdrawals within a single atomic transaction, the exploiter distorted the vault’s share accounting and extracted approximately $6 million before repaying the flash loan. Because the transaction was atomic, it either executed entirely or failed completely.
The exploit leveraged a known ERC-4626 tokenized vault vulnerability involving share inflation through token donations, a flaw previously observed in several DeFi incidents. The attack was independently confirmed by security firm PeckShield and the exploit monitoring platform Phalcon.
The Yearn Finance Flash Loan Exploit on Aave in a prior cycle used comparable vault manipulation mechanics, underscoring how this attack vector has persisted across DeFi generations.
Impact, Response, and What’s Next
At the time of writing, Summer.fi has not made any official statement. At the time of the initial Blockaid alert, the attack was said to be continuing. They are being urged to keep a close eye on positions if affected by the impacted vault.
Blockaid identified the exploit and alerted users in real time through its threat detection network. According to CertiK, the attacker profited approximately $6 million through liquidity manipulation. Initial reports indicated that no external user funds were at risk, as the exploit was limited to the affected vault’s mechanics.
The incident adds to a growing number of DeFi security breaches in 2026. Flash loan attacks remain particularly difficult to defend against because they require no upfront collateral, and failed attacks are automatically reverted.
The extent to which the wider DeFi movement can recover, and if at all, will depend on the Summer.fi team’s findings regarding a mitigation strategy as well as their outreach efforts via a “whale hat” approach. The Best DeFi Lending Platforms in 2026 still carry smart contract exploit risks, a reminder that due diligence remains critical even on audited platforms.











