Attacker manipulated FleetCommander.totalAssets() by donating stale-priced Silo Varlamore USDC Growth vault tokens into an Ark still counted in NAV, using a $65.4M flash loan to net ~$6.04M in DAI in a single atomic transaction.
On July 6, 2026, an attacker manipulated Summer.fi's FleetCommander.totalAssets() by donating stale-priced Silo Varlamore USDC Growth vault tokens (stale since the November 2025 Stream Finance collapse) into an Ark that was still counted in NAV. The attacker used a $65.4M flash loan from Morpho, deposited $64.8M, and redeemed $70.9M at the inflated price, netting approximately $6.04M in DAI. The attack was executed in a single atomic transaction. Vaults were paused following the attack. The SUMR token dropped approximately 18%. The attack was planned 3+ months in advance. Exploiter address: 0x7BF716167B48CF527725722C6d79494b45B3BDCa.
Netted ~$6.04M in DAI. No specific laundering trail or recovery reported at time of writing.
0x7BF716167B48CF527725722C6d79494b45B3BDCa