Summer fi: The Lazy Summer attack is not a contract vulnerability, but rather an exploitation of the NAV mechanism.

Wu Says learned that Summer fi released a post-mortem report on the Lazy Summer Protocol USDC Vault attack, stating that on July 6 the attacker exploited flaws in the net asset value (NAV) calculation mechanisms of two Ethereum USDC vaults. In a single atomic transaction, they manipulated the share price via flash loans and stole approximately $6.04 million in assets. Among them, the LowerRisk USDC vault lost about $5.64 million, while the HigherRisk USDC vault lost about $0.4 million. The report says the issue was not a vulnerability in the contract code or a private key leak, but rather the injection of overvalued assets into an Ark strategy that had already been discontinued yet was still included in the NAV, causing the vault share price to be overstated and completing the arbitrage. After the incident, the protocol paused all Vaults and set the deposit limit to zero. The team is working with SEAL 911, Blockaid, CertiK, PeckShield, Cyvers, and others to trace the flow of funds, and the compensation plan will be determined by Lazy Summer DAO governance.
USDC0.01%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 3
  • 2
  • Share
Comment
Add a comment
Add a comment
TheMoonReflectsOnTheTranquil
· 4h ago
LowerRisk actually results in greater losses, full of irony. Now the Vault is completely shut down + deposits are zero, making it hard to rebuild user confidence.
View OriginalReply0
PettyLp
· 4h ago
Flash loan + atomic swap—what a classic one-two punch. The core mechanism, like NAV calculation, wasn’t isolated at all. What was the audit team doing?
View OriginalReply0
AirdropCartographer
· 4h ago
A stopped Ark strategy can still affect net value—this design is truly ridiculous. 6.04 million to learn a lesson, and we still need to redraw DeFi’s security boundaries.
View OriginalReply0
  • Pinned