Analysis: Summer.fi $6 million theft case may be due to flash loan vulnerability exploitation

robot
Abstract generation in progress

BlockBeats news, July 6 — DeFi yield optimization protocol Summer Finance (Summer.fi) reportedly suffered a security attack, with on-chain analytics estimating losses of approximately $6 million.

Blockchain security firm Blockaid was the first to detect the security incident. Cyvers stated that the attacker likely exploited a vulnerability in the protocol's share accounting mechanism through price manipulation, then swapped the stolen assets worth about $6 million into DAI stablecoins and transferred them to an address controlled by the attacker.

CertiK further analyzed that the attacker used a flash loan of approximately $65.4 million to manipulate the asset valuation logic of the vault under Summer.fi's Lazy Summer Protocol, ultimately redeeming about $70.9 million in assets after depositing around $64.8 million, profiting roughly $6 million.

It is reported that the vulnerability involves the asset accounting logic for totalAssets() in the Fleet Commander contract, which manages the protocol's vault assets. The attacker accumulated specific vault positions in advance and influenced asset calculations by donating assets to the Ark contract, thus completing the arbitrage.

As of press time, Summer.fi has not confirmed the attack through official channels, and the root cause of the vulnerability is still under investigation.

ARK-2.09%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned