DeFi yield aggregator Summer.fi lost approximately $6.017 million in DAI after an attacker exploited a vulnerability in one of its vaults on Ethereum. The incident occurred on July 6, 2026, in a single complex transaction. CertiK flagged the suspicious activity shortly after it began, highlighting an anomalous flash loan interaction tied to the protocol. The security firm’s monitoring systems detected the rapid liquidity manipulation and subsequent fund movements in real time.
We have detected a suspicious transaction involving @summerfinance_.
The sender profited ~$6M using ~$65.4M flashloan for liquidity manipulation in the transaction https://t.co/CdF6xwpCUj.
Stay Vigilant! pic.twitter.com/4gEhh9FyxX
— CertiK Alert (@CertiKAlert) July 6, 2026
Exploit Details
The attacker initiated the exploit by securing a roughly $65.4 million flash loan, primarily in USDC and USDT. This capital was used to manipulate liquidity pools across protocols such as Morpho and Curve. By altering liquidity dynamics, the attacker triggered imbalances that allowed outsized withdrawals from Summer.fi’s LazyVault_LowerRisk_USDC, often referred to as the LVUSDC vault, due to issues in share accounting and deallocation logic.
After extracting the funds, primarily in DAI, the attacker repaid the flash loan within the same transaction and transferred the profits to a controlled address starting with 0x7BF7…BDCa. The entire sequence executed atomically, minimizing the attacker’s own capital at risk beyond transaction fees.

The exploit again shows how DeFi losses do not always come from simple contract drains. In some cases, liquidity depth, routing logic and accounting assumptions can combine to create major losses, similar to a previous DeFi trade on Aave where extreme slippage and low liquidity caused a nearly $50 million loss.
About Summer.fi and Impact
Summer.fi, formerly known as Oasis.app, operates the Lazy Summer Protocol, which provides automated, rebalanced yield strategies across multiple DeFi lending and liquidity platforms. Its vaults aim to deliver optimized returns with managed risk for both retail and institutional users. The exploited LVUSDC vault focused on lower-risk USDC exposure.
This marks another instance of a flash loan-driven attack targeting accounting logic in yield aggregation vaults. Similar mechanics have appeared in past incidents involving share price manipulation or improper handling of deposits and withdrawals during liquidity shifts.
The incident also follows other recent DeFi security cases, including the Transit Finance exploit that resulted in an estimated $1.88 million loss. Although the technical causes differ, both cases underline how complex protocol integrations and external liquidity dependencies can create security risks that are difficult for users to assess directly. DeFi protocols continue to face challenges in ensuring robust pricing and allocation safeguards, especially when interacting with external liquidity sources like Curve and Morpho.
The broader DeFi ecosystem has seen a steady stream of such exploits in 2026, underscoring persistent risks in vault and aggregator designs. A recent June 2026 crypto hack report recorded 45 blockchain security incidents, showing that exploit activity remains a major concern across the industry.
While many projects emphasize audits and AI-driven rebalancing, complex interactions with underlying protocols can still expose edge cases in accounting math. For yield aggregators, the Summer.fi incident is another reminder that automated strategy design must account not only for normal market conditions, but also for adversarial transactions built around flash loans and liquidity manipulation.















