
On July 6, the DeFi protocol Summer.fi was hacked, according to the project team.
We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.
We will provide more updates as we have them.— Summer.fi ☀ (@summerfinance_) July 6, 2026
The developers have not disclosed the exact amount of damage or technical details of the attack.
According to Cyvers, the attacker exploited a vulnerability in the asset share accounting mechanism and manipulated prices. They then exchanged the stolen $6 million for DAI stablecoins and transferred them to their own address.
🚨ALERT🚨Our system has detected a suspicious transaction involving @summerfinance_ with an estimated loss of $6M.
An address funded via #FixedFloat on #Base executed a suspicious transaction on the #ETH network.
Root cause: The attacker appears to have exploited a share… pic.twitter.com/oS1OE5vGYh— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 6, 2026
According to CertiK, the attacker used a flash loan of $65.4 million to temporarily increase the protocol’s funds and initiate a withdrawal of about $70.9 million. The profit amounted to approximately $6 million, which went to the hacker.
The manipulation affected the asset accounting system in Lazy Summer, which automatically redistributes user deposits among lending platforms.
1/ Attacker was able to redeem $70.9M following $64.8M deposit thanks to manipulation of FleetCommander’s accounting of totalAssets() on a host of vaults, particularly Silo: Varlamore USDC Growth, which the attacker had accumulated beforehand and donated to the Ark in between. pic.twitter.com/x2eeKlWy3n— CertiK Alert (@CertiKAlert) July 6, 2026
Experts highlighted that the vulnerability is linked to the distortion of the totalAssets() metric in FleetCommander smart contracts, which manage the vaults. Additionally, the Ark contract, which connects the protocol to external lending services, influenced the scheme.
In June, losses from crypto hacks decreased to $75.9 million. Experts recorded 40 incidents, with the largest being the attack on Humanity Protocol, resulting in a $31 million loss.
In the second quarter, the number of exploits reached 83, the highest in recorded history.
