
Summer.fi's post-mortem reveals a $6.04M exploit was planned for months. The attacker exploited an offboarding accounting gap, not a flash loan or code bug.
Summer.fi released a post-mortem this week on the $6.04 million exploit that drained two USDC vaults in its Lazy Summer Protocol. The report argues the attack was not an opportunistic flash loan grab but a months-long operation. The attacker spent roughly three months accumulating the assets needed to manipulate the protocol, then executed the entire exploit in a single atomic transaction on July 6.
The Offboarding Gap
According to the post-mortem, the root cause was an operational issue during the offboarding of an old strategy, not a bug in the smart contracts. The attacker manipulated the net asset value of two USDC vaults by donating stale-valued Silo vault tokens into an Ark that had already been capped during offboarding. That Ark, however, remained included in the vault's NAV calculations.
The result was an artificially inflated share price. The attacker redeemed shares at that inflated value and withdrew roughly $6.04 million in USDC from the protocol's liquid positions. The Lower Risk USDC Vault lost about $5.64 million; the Higher Risk USDC Vault lost roughly $400,000.
Summer.fi stressed that no private keys were compromised, no admin privileges were abused, and no coding bug was exploited. The contracts behaved as designed. The problem was that an impaired Ark stayed active in the vault's accounting after its deposit cap had been set to zero.
The Real Attack Vector
The report challenges the early narrative that this was a simple flash loan attack. Blockchain evidence shows the attacker funded multiple wallets roughly three months before the incident and gradually accumulated stale-valued Silo vault tokens. Those tokens were later used to inflate the NAV. The flash loans provided temporary liquidity for the final transaction – they did not create the vulnerability itself.
Summer.fi also addressed a widely shared screenshot showing an annual percentage yield of roughly 2.08 million%. The figure came from a one-block spike in the vault's reported NAV and did not represent actual returns.
What Happens Next
All Lazy Summer Protocol vaults were paused after the exploit, and deposit caps were reduced to zero while the incident was investigated. The report says governance must now decide how to handle the affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.
The attacker's three-month preparation is the detail that should give pause. Opportunistic flash loan attacks get patched quickly. A patient operator who identified an accounting gap in an offboarding process – and waited months to strike – suggests a different class of risk. The protocol's next steps on compensation and re-opening will test how well DeFi governance handles operational failures that are not code bugs.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.