Summer.fi reveals months of preparations behind $6 million DeFi exploit


Summer.fi published a detailed post-mortem on the matter. $6.04 million abuse that consumes both Lazy Summer Protocol USDC vaults. The report concludes that the attack was planned months in advance rather than an opportunistic flash loan exploit.

The report states that the attacker spent approximately three months collecting the assets needed to modify the protocol. The exploit was performed in a single atomic transaction 6 July.

He also argues that the root cause is an operational issue during the decommissioning of an old strategy rather than a flaw in the protocol’s smart contracts.

The attack took advantage of the incomplete disengagement process

According to the autopsy report, the attacker manipulated the net asset value (NAV) of two USDC vaults. Old valuable Silo vault tokens were donated to an Ark that was capped during the disembarkation process. However, Ark continued to be included in the vault’s NAV calculations.

This artificially inflated the vault’s share price, allowing the attacker to buy back the shares at an inflated value. The attacker then retreated for approx. $6.04 million in USDC from the liquid positions of the protocol.

Losses were shared between the parties Low-Risk USDC Vault that lost approximately $5.64 millionAnd High-Risk USDC Vault That Lost Nearly $400,000.

Summer.fi emphasized that the exploit was not caused by compromised private keys, administrative privileges, or a coding error. Instead, he said, the affected contracts acted as designed.

Still, a damaged Ark remained active in the vault’s accounting after the deposit cap was set to zero.

Preparation began months before the abuse

The report also challenges the initial narrative that the exploit was a simple credit attack.

Summer.fi said blockchain evidence shows that: The attacker had funded multiple wallets approximately three months before the incident. The attacker then gradually accumulated old valuable Silo vault tokens, which were then used to inflate the NAV of the vaults.

Flash loans primarily provided temporary liquidity for the final transaction rather than creating the vulnerability itself.

The protocol also cited a widely shared screenshot showing an approximate annual percentage return. 2.08 million%. He explains that this figure is due to a single-block increase in the vault’s reported NAV and does not represent actual investment returns.

Protocol paused while management weighs next steps

Following this exploit, all Lazy Summer Protocol vaults were paused and deposit limits were reduced to zero while the incident was investigated.

The report stated that management must now decide how to deal with affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.


Final Summary

  • Summer.fi said the $6.04 million exploit was planned over several months and resulted from an incomplete vaulting process.
  • The protocol paused all vaults while governance evaluated compensation, recovery, and the safe reopening of unaffected markets.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *