Login
Sign Up
Woofun AI reports that Summer.fi identified a $6 million loss stemming from an exploitation of its net asset value mechanism rather than a smart contract vulnerability. On July 6, 2026, an attacker manipulated share prices in two Lazy Summer Protocol USDC vaults on Ethereum, withdrawing approximately $6.04 million through a single atomic transaction. The exploit involved donating tokens from the restricted "Varlamore" Silo vault to strategy adapters, artificially inflating share prices for arbitrage redemption. This flaw arose because the vault's on-chain valuation remained unadjusted since the Stream Finance collapse in November 2025, despite the shutdown process being incomplete. The attacker prepared for at least three months, accumulating tokens across multiple wallets to conceal intentions. Following the incident, Guardian’s multisig system and the foundation suspended all protocol vaults and set deposit limits to zero. While security firms like SEAL 911 are tracking the funds, the attacker has used Tornado Cash to obscure trails. The Lazy Summer DAO is currently evaluating vault resumption and user compensation strategies.