Summer.fi has paused its Lazy Summer Protocol vaults after an exploit removed roughly $6 million from the Ethereum-based yield platform. The project said it was investigating the attack and that protocol guardians had halted affected vaults to limit further losses.
The incident matters because Lazy Summer is designed to automate DeFi yield strategies, routing user deposits across lending markets such as Aave and Morpho while handling rebalancing. A failure in that kind of system can quickly affect user confidence, especially when the exploit involves vault accounting logic rather than a simple front-end issue.
Blockchain security firm Blockaid first flagged the activity, with PeckShield and CertiK also reporting suspicious behavior. According to early analyses cited by CoinDesk, the attacker used a large flash loan, reportedly sourced through Morpho, to manipulate the accounting logic in Lazy Summer’s automated USDC vaults.
DeFi security researcher Bhari said the flaw allowed the attacker to inflate total assets and then redeem them for profit. The stolen funds were apparently converted into DAI on Curve before being moved to the attacker’s wallet.
Before the exploit, Summer.fi had about $22 million in total value locked, according to DeFiLlama data cited in the report. The protocol’s SUMR token dropped by more than 18% after the exploit was uncovered, adding a market impact to the operational damage from the attack.