Decentralized finance protocol Summer.fi has paused its Lazy Summer vaults following an exploit that drained about $6 million from the Ethereum-based dividend platform, according to the project and several blockchain security firms.
Lazy Summer is an automated return platform that routes deposits across lending markets such as Aave and Morpho in pursuit of higher returns while handling rebalancing on behalf of users.
The incident was first flagged by blockchain security firm Blockaid, with PeckShield and CertiK also reporting suspicious activity. Summer.fi later confirmed it was investigating the attack and said protocol guardians had paused affected vaults to prevent further losses.
Early analysis suggests that the attacker was exploited a large flash loan attack, allegedly sourced through Morpho, to manipulate the accounting logic of Lazy Summer’s automated USDC boxes.
DeFi security researcher Bhari noted that the exploit took advantage of a flaw in the code to inflate total assets, which they were then allowed to redeem for a net profit. The stolen funds were apparently converted to DAI on Curve before being transferred to the attacker’s wallet.
The protocol had $22 million in total value locked up before the exploit, according to DeFiLlama data. The protocol’s SUMR token lost more than 18% of its value after the exploit was revealed.



