Summer.fi (Lazy Summer Protocol) Hack 2026 — $6M Exploit Analysis

Attacker manipulated FleetCommander.totalAssets() by donating stale-priced Silo Varlamore USDC Growth vault tokens into an Ark still counted in NAV, using a $65.4M flash loan to net ~$6.04M in DAI in a single atomic transaction.

Details

Full Description

On July 6, 2026, an attacker manipulated Summer.fi's FleetCommander.totalAssets() by donating stale-priced Silo Varlamore USDC Growth vault tokens (stale since the November 2025 Stream Finance collapse) into an Ark that was still counted in NAV. The attacker used a $65.4M flash loan from Morpho, deposited $64.8M, and redeemed $70.9M at the inflated price, netting approximately $6.04M in DAI. The attack was executed in a single atomic transaction. Vaults were paused following the attack. The SUMR token dropped approximately 18%. The attack was planned 3+ months in advance. Exploiter address: 0x7BF716167B48CF527725722C6d79494b45B3BDCa.

Laundering Analysis

Netted ~$6.04M in DAI. No specific laundering trail or recovery reported at time of writing.

Sources

Transaction Hashes

Related Hacks

Back to Browse