Summer.fi: $6 million vault attack originated from exploitation of NAV mechanism, not a contract vulnerability.

robot
Abstract generation in progress
ME News: On July 8 (UTC+8), DeFi yield protocol Summer.fi released a post-incident analysis report on a $6 million vulnerability attack. On July 6, 2026, an attacker manipulated the share prices of two Lazy Summer Protocol USDC vaults on the Ethereum mainnet, extracting approximately $6.04 million in depositor assets in a single atomic transaction. The report shows that the attacker exploited a vulnerability in the vault net asset value (NAV) calculation mechanism: by “donating” a Silo “Varlamore” vault token—which had previously been restricted from deposits, was in the process of being decommissioned, but was still counted in the NAV calculation (its on-chain valuation had not been adjusted downward since the Stream Finance collapse in November 2025)—to the relevant strategy adapter, the attacker artificially inflated the vault share price and used it to redeem and execute arbitrage. The entire operation was not a contract code vulnerability; it occurred because the strategy decommissioning process was not completed in a timely manner. The report states that the operation was preceded by at least three months of preparation, during which the attacker accumulated the relevant tokens across multiple wallets to obscure their intent. After the incident, the Guardian multisig and the foundation paused all protocol vaults and set the deposit limit to zero. Security organizations such as SEAL 911 have stepped in to assist with tracking the funds, but the attacker had already transferred part of the funds via Tornado Cash, increasing the difficulty of on-chain tracing. Currently, the Lazy Summer DAO is assessing the timeline for lifting the vault pause and the plan for handling affected users’ funds, and no final compensation plan has been announced yet. (Source: Foresight News)
STREAM-1.23%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned