
A flash loan exploit drained $6 million from the Lazy Summer Protocol. The attacker deposited $64.8M and redeemed $70.9M in a single transaction.
Summer.fi pulled the plug on its Lazy Summer Protocol vaults Wednesday after a flash loan exploit drained roughly $6 million from the platform.
The protocol paused all vaults and set deposit caps to zero across every network it serves. The move came after blockchain security firms PeckShieldAlert and CertiKAlert flagged an active exploit.
CertiK said the hacker abused the protocol's flash loan smart contracts. The attacker deposited $64.8 million and immediately redeemed $70.9 million, walking away with the difference.
Flash loans let a trader borrow large sums of crypto with no collateral, as long as the loan is repaid within the same transaction. The exploit works when an attacker finds a price discrepancy between two lending pools, borrows from one to manipulate the price on the other, then repays the original loan and pockets the difference. Summer.fi's vaults offered the price gap the attacker needed.
The $6 million loss adds to a bleak year for crypto security. PeckShield recorded $4.04 billion lost to hacks and scams combined in 2025, up 34.2% from $3.01 billion in 2024. Direct hacks and exploits accounted for $2.67 billion of the 2025 total, while scam-related activity made up the other $1.37 billion.
Summer.fi has not announced a timeline for reopening vaults or whether it will attempt to recover the stolen funds. Users with assets locked in paused vaults will have to wait for the protocol's next update on the situation.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.