Decentralized finance protocol Summer.fi has suspended its Lazy Summer vaults after an exploit that drained approximately $6 million from the Ethereum-based yield platform, according to the project and several blockchain security companies.
Lazy Summer is an automated yield platform that routes deposits into lending marketplaces such as Aave and Morpho in search of higher yields while managing rebalancing on behalf of users.
The incident was first reported by blockchain security firm Blockaid, with PeckShield and CertiK also reporting suspicious activity. Summer.fi later confirmed it was investigating the attack and said protocol guardians had suspended the affected vaults to prevent further losses.
Initial analyzes suggest that the attacker exploited a large flash loan attack, apparently originating from Morpho, aimed at manipulating the accounting logic of Lazy Summer’s automated USDC vaults.
Bhari, a security researcher at DeFi, noted that the exploit took advantage of a flaw in the code to inflate total assets, which they were then allowed to buy back for a net profit. The stolen funds were apparently converted to DAI on Curve before being transferred to the attacker’s wallet.
The protocol had a total value locked of $22 million before the exploit, according to data from DeFiLlama. The protocol’s SUMR token lost more than 18% of its value after the exploit was discovered.




