
Decentralized finance protocol Summer.fi has paused its Lazy Summer vaults after an exploit that drained about $6 million from the Ethereum-based yield platform, according to the project and several blockchain security firms.
Lazy Summer is an automated yield platform that routes deposits across lending markets such as Aave and Morpho in search of higher returns while handling rebalancing on behalf of users.
The incident was first flagged by blockchain security firm Blockaid, with PeckShield and CertiK also reporting suspicious activity. Summer.fi later confirmed it was investigating the attack and said protocol guardians had paused affected vaults to prevent additional losses.
Early analyses suggest the attacker leveraged a large flash loan attack, reportedly sourced through Morpho, to manipulate the accounting logic of Lazy Summer’s automated USDC vaults.
DeFi security researcher Bhari noted that the exploit took advantage of a flaw in the code to inflate total assets, which they were then allowed to redeem for a net profit. The stolen funds were apparently converted to DAI on Curve before being transferred to the attacker’s wallet.
The protocol had $22 million in total value locked before the exploit, according to DeFiLlama data. The protocol’s SUMR token lost more than 18% of its value after the exploit was uncovered.


