Decentralized finance (DeFi) protocol Summer.fi paused all vaults across its Lazy Summer Protocol on 6 Jul after an exploit netted an attacker about $6mn – the latest in a wave of attacks that has already cost Web3 projects more than $1.31bn this year.
Summer.fi Pauses Vaults After $6mn Exploit as Web3 Hack Toll Climbs; Token Price Falls
The price of the protocol's native token, SUMR, fell more than 18% to around $0.0016 on the news.
Blockchain security firm CertiK said the attacker used a $65.4mn flash loan to exploit a flaw in the protocol. Such attacks allow users to borrow large sums without collateral, use that temporary capital to manipulate market prices or exploit protocol logic and repay the original loan – all within a single blockchain transaction.
CertiK said the attacker used the temporary capital to manipulate the protocol's vault accounting, depositing about $64.8mn before redeeming roughly $70.9mn. Onchain data from Etherscan showed the exploit transaction occurred at around 05:17UTC on 6 Jul.
Summer.fi, a multichain protocol that offers borrowing, lending and yield optimization services, has about $24.6mn in total value locked (TVL), according to DeFiLlama.
What happened?
According to CertiK, the attacker exploited the way Summer.fi calculated assets in its FleetCommander vault system through an integration with Silo Finance's Varlamore USDC Growth vault.
The firm said the attacker had bought about 19.5bn vgUSDC, a yield-bearing token issued by the vault, in April after a major price swing. The token later rose about tenfold in value and was used in the attack.
Cybersecurity startup Cyvers explained in a separate post on X that the exploit was caused by a flaw in Summer.fi's share accounting that allowed the attacker to manipulate prices.
The security firm added that an address funded on the Base network carried out the attack and that the stolen funds were swapped into the Dai (DAI) stablecoin before being moved to an attacker-controlled address.
Summer.fi said it is investigating the incident but has not disclosed whether affected users will be reimbursed or whether any connected protocols were impacted. The company did not immediately respond to Sandmark's request for comment.
"We are aware of the reported exploit a little earlier today and are investigating the root cause," Summer.fi said in a post on X. "The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol. We will provide more updates as we have them."
The company did not confirm the loss amount or say when vault operations would resume.
Web3 hacks continue
The exploit comes as Web3 security incidents continue to accumulate in 2026. Earlier on 6 Jul, CertiK reported that hackers stole more than $1.31bn across 344 incidents during the first half of the year.
While total losses were lower than a year earlier, the comparison was skewed by the $1.45bn Bybit hack in H1 2025. Excluding that incident, losses in the first six months of 2026 were about 28% higher than those in the same period of 2025.
"The underlying security environment has not improved," the report reads. "In several meaningful respects, it has deteriorated."
Wallet compromises were the costliest method, accounting for over $444mn in losses across 33 incidents, followed by phishing attacks, which caused $366.3mn in losses across 63 incidents. Code vulnerabilities were the most common type of exploit, with 204 incidents resulting in about $151.6mn in losses, according to the report.
Ethereum recorded the highest number of security incidents, with 153 hacks, scams and exploits leading to about $522.8mn in losses during the first half of the year.