Summer Finance loses $6M in suspected flash-loan exploit

Summer Finance was exploited for about $6 million in a suspected flash-loan attack that used a large loan to manipulate vault accounting, onchain analysts report.

Summer Finance, a DeFi yield-optimization protocol known as Summer.fi, lost about $6 million in a suspected flash-loan exploit on Monday, according to blockchain security firms and onchain investigators.

Blockchain security firm СertiK flagged the breach early Monday. Onchain investigators and auditors traced a sequence in which an attacker used a large, short-term flash loan to distort internal accounting and trigger outsized redemptions from the protocol.

CertiK's technical analysis identified a roughly $64.8 million to $65.4 million flash loan that enabled a $70.9 million redemption. CertiK wrote: “Attacker was able to redeem $70.9M following a $64.8M deposit thanks to manipulation of FleetCommander’s accounting of totalAssets() on a host of vaults, particularly Silo: Varlamore USDC Growth, which the attacker had accumulated beforehand and donated to the Ark in between.”

The exploit targeted how the Lazy Summer Protocol reported totalAssets() across vaults managed by the FleetCommander contract. Investigators say the attacker accumulated tokens in the Silo: Varlamore USDC Growth vault, moved those tokens through the protocol's Ark connector into a lending market, then used a large deposit to inflate FleetCommander's asset totals and redeem more value than the vaults actually held.

Cyvers reported the attacker converted the withdrawn funds to DAI stablecoins and transferred them to an attacker-controlled address. Public tracing shows about $6 million left the protocol; the exact impact on individual user balances has not been confirmed by the project.

Summer Finance runs an automated yield-optimization system that uses AI keepers to allocate and rebalance user deposits across multiple lending platforms. FleetCommander manages the collection of vaults and the Ark links a vault to a specific lending market. Auditors say the vulnerability related to how share values and totalAssets() were updated across interconnected vaults and connectors.

Security teams continue onchain analysis to track the stolen funds and assess whether any assets can be recovered. Summer Finance has not published an official confirmation or technical postmortem. Users are advised to monitor the project's official channels for updates and to check whether their deposits were held in the affected vaults.

The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.

Articles by this author