Summer.fi has announced plans to wind down operations after a $6 million flash-loan exploit on Lazy Summer vaults extracted approximately $6.04 million from two USDC vaults on Ethereum by manipulating the protocol’s asset valuation process. The Summer.fi interface, customer support and Discord channels will remain available until August 31, 2026. The underlying Lazy Summer Protocol will not automatically close on that date because it is governed separately by the Lazy Summer DAO. In its official shutdown announcement, Summer.fi said the losses left the team without enough financial runway to fund recovery work, infrastructure and continued operations.
Exploit Hit a Protocol Already in Decline
Summer.fi operated for about seven years and became independent from the Maker Foundation in June 2021. More than 50,000 people reportedly used Oasis.app and Summer.fi during that period. Lazy Summer Protocol expanded rapidly after launch, reaching close to $200 million in total value locked during its first nine months. However, its asset base had already declined considerably before the shutdown announcement.

DefiLlama showed approximately $12.8 million in TVL in its latest snapshot. The tracker also recorded quarterly gross protocol revenue falling from about $218,300 in Q3 2025 to $47,420 in Q2 2026. The TVL decline should not be treated as an equivalent user loss. The metric can change because of withdrawals, token-price movements, paused vaults and changes in how assets are valued. Summer.fi said a meaningful portion of the team’s own capital was held in the affected vaults. The exploit therefore damaged both user deposits and the reserves available to keep the project running.
Outdated Ark Valuation Enabled the Attack
The attacker targeted the way Lazy Summer vaults calculated net asset value rather than compromising an administrator key. Lazy Summer vaults allocate funds across strategy adapters known as Arks. One of those strategies held Silo Varlamore USDC Growth vault tokens carrying outdated valuations.
The Ark was already being phased out, and its deposit limit had been reduced to zero. However, it had not been removed from the active FleetCommander set, meaning its reported assets continued to influence the vault’s NAV. The attacker donated the stale-valued Silo tokens into the Ark, artificially increasing the reported value of the vault. The inflated share price then allowed real USDC liquidity to be redeemed from other strategies, including Morpho, Spark and Sky.
According to Summer.fi’s official exploit post-mortem, the attack was completed in a single atomic transaction using more than $65 million in flash loans. The lower-risk USDC vault lost approximately $5.64 million, while the higher-risk vault lost about $400,000. Summer.fi said it had not identified a newly introduced smart contract coding error. Instead, the incident resulted from an incomplete strategy shutdown process that left the Ark inside the active valuation system.
The team’s investigation also indicated that attacker-linked wallets had begun accumulating the relevant Silo tokens months before the exploit. After repaying the flash loans, the attacker converted the remaining proceeds into DAI, with part of the funds later routed through Tornado Cash.
Protocol Future Remains With the DAO
Summer.fi Labs is winding down, but the Lazy Summer Protocol will remain under DAO control. Following the attack, vaults were paused and deposit limits were set to zero. The DAO is now completing the procedures needed to restore withdrawals and share redemptions. These functions will appear in the Summer.fi interface when they become available.
The team has not guaranteed full compensation for affected depositors. Any recovery plan and the protocol’s long-term future will require DAO governance decisions. DefiLlama classifies the incident as a protocol-logic donation attack on Ethereum. It also reports cumulative protocol revenue of approximately $232,050, making the $6.04 million exploit roughly 26 times larger than the protocol’s reported lifetime revenue.
That comparison does not represent Summer.fi’s complete balance sheet, but it illustrates the scale of the loss relative to the income generated by the protocol. The incident also comes amid broader crypto security losses. A May 2026 crypto hacks report recorded $84.2 million in losses across 41 incidents. Summer.fi’s interface and support channels will remain available until August 31. After that, responsibility for withdrawals, remediation and the future of Lazy Summer Protocol will rest with the DAO.

















