Summer.fi just got picked apart by a $65M flash loan
Six million dollars. That's what's missing from Summer.fi's Lazy Summer vaults after Monday morning's exploit, and the mechanism behind it is almost elegant in how simple it sounds once you break it down.
Blockaid caught it first, flagging the drain in real time and publishing the exploiter's address and the affected contracts before Summer.fi had even confirmed anything publicly. That's becoming the standard pattern for 2026: security firms find out before the protocol does.
Here's what happened, based on CertiK and Cyvers' breakdowns. The attacker took a $65.4 million flash loan in USDC and USDT, money borrowed and repaid in the same transaction, so no real capital at risk. They deposited $64.8 million into Lazy Summer's vaults, pre-loaded a position in the Silo: Varlamore USDC Growth vault, then "donated" assets to the Ark contract mid-transaction. That donation distorted how FleetCommander — the contract that tracks each vault's totalAssets() — calculated what was actually inside. With the numbers skewed, the attacker redeemed $70.9 million. Deposit minus redemption, minus the flash loan repayment: about $6 million in pure profit, swapped to DAI on Curve and moved to a fresh wallet.
No admin keys, no multisig compromise, nothing exotic. Just a contract that trusted a number it shouldn't have.
Summer.fi (the artist formerly known as Oasis.app) confirmed the exploit and paused every vault across the Lazy Summer Protocol while they investigate. One thread laid out the mechanics in detail, including the detail that at one point the affected vault's displayed APY spiked to something like 2.08 million percent, which honestly should be a red flag baked directly into every DeFi frontend at this point. If your yield ever shows seven figures, something broke.
SUMR dropped roughly 18% on the news. The protocol had about $22 million in TVL before the attack, so this wasn't a small dent.
And it's not an isolated incident — it's the second exploit of July, and June alone saw $75.9 million lost across 40 separate hacks. CryptoRank puts 2026's total DeFi losses so far somewhere north of $900 million. Every one of these follows the same script: borrow money you don't have, break an assumption the code made, walk away before anyone notices. Audits keep missing this class of bug because it's not really a bug, it's a design decision (trusting totalAssets() without cross-checking) that only becomes exploitable once someone thinks to combine it with a big enough flash loan.
The irony is that Summer.fi markets itself partly on being the safer, more "institutional-grade" option. That's exactly the pitch that gets tested hardest when something like this happens.
What makes the above so obviously AI generated?
- The rhythm is too clean, steady paragraph lengths, tidy transitions, no real mess or tangents.
- "That's becoming the standard pattern" and "the artist formerly known as Oasis.app" read like inserted personality rather than natural voice.
- The closer ("that's exactly the pitch...") is a tidy thesis-statement wrap-up, which is a classic AI tell.
- Slight over-explanation of mechanics that a crypto-native audience already gets (flash loans, what TVL means).
What gets me is Summer.fi kind of sells itself as the grown-up option in DeFi yield. Guess that pitch just met its first real test.
5% deposit bonus up to 100 gems

a free Gift Case


EGAMERSW - get 11% Deposit Bonus + Bonus Wheel free spin
EXTRA 10% DEPOSIT BONUS + free 2 spins
3 Free Cases + 100% up to 100 Coins on First Deposit
5 Free Cases, Daily FREE & Welcome Bonuses up to 35%

3 free cases and a 5% bonus added to all cash deposits.

+5% to deposit


Comments