The DeFi yield aggregator Summer.fi lost about $6 million in DAI after an attacker used a $65 million USDC flash loan to distort the accounting of its Lazy Summer Vault, briefly pushing the displayed APY above two million per cent.
Summer.fi lost about $6.017 million in DAI on Monday after an attacker distorted the accounting of one of its Lazy Summer Vaults using a flash loan of roughly $64.8 million in USDC. The protocol paused all vault deposits within hours. The stolen funds were routed through Tornado Cash before the team had finished writing its post-mortem.
The mechanics are worth pulling apart, because the attack is not the kind of raw contract exploit that the industry has been retiring since 2022. Summer.fi's vault system is built around a parent contract called Fleet Commander that allocates deposits to a set of downstream strategy contracts called Arks. Each Ark is meant to report its own asset balance back to the Fleet Commander so that vault shares can be priced accurately. That trust boundary is where the money went.
The attacker took out the flash loan, deposited it into a manipulated Ark strategy, and forced the strategy to report about $7.14 million in assets when the real number was much smaller. Because Fleet Commander accepted the number without independent verification, it minted vault shares against a phantom balance. The attacker then redeemed those shares for approximately 71 million USDC, repaid the flash loan, and walked away with roughly $6 million in profit. The distorted APY briefly displayed on the front end was above 2 million per cent — the visible symptom of a bookkeeping bug that no user would have had time to react to.
This is a familiar pattern with a specific technical failure. Every major flash-loan attack since the Beanstalk raid has exploited a moment when an accounting layer trusted a number that the attacker controlled. Cream Finance's $37 million loss worked the same way through a different oracle. Summer.fi's failure is not that it was hit — plenty of DeFi protocols have survived being probed by an actor with a nine-figure temporary balance sheet. Its failure is that the Ark contract's reported balance was the only source of truth Fleet Commander consulted.
The protocol paused the affected LazyVault contracts on-chain and posted a status update naming the compromised strategy. The team said onchain monitoring by Blockaid had flagged the transaction, though the flagging happened after the funds had already been withdrawn — a lag that is standard for post-hoc detection and useless for actual prevention. Summer.fi had roughly $340 million in total value locked before the incident, spread across a mix of stablecoin and ETH-denominated vaults. Only the DAI vault appears to have been drained; other pools remained solvent when the pause was applied.
The Tornado Cash trail is now more or less standard operating procedure for opportunistic DeFi thieves. Chainalysis will publish an attribution report; the stolen DAI has already been swapped and mixed. Nothing about that pipeline is new. What is new is that Summer.fi is the rebrand of Oasis.app — the original MakerDAO front end — and its yield vaults were built by the same team that helped design the DAI system in the first place. That heritage did not stop the accounting from breaking.
The immediate financial impact on users is contained. Summer.fi's Lazy Summer product is one vault line among several. Deposits in unaffected pools remain withdrawable, and the DAO holds a treasury that could cover the loss if governance chose to. Whether it will is a separate conversation; DeFi protocols have historically pushed the loss to token-holders through inflationary refunds, and Summer.fi's tokenomics are not designed for a clean bailout.
The wider point is that DeFi security has bifurcated. The largest, oldest lending protocols — Aave, Compound, Sky — now audit their vault accounting through multiple independent oracles and have not lost user funds to this class of attack for two years. The second tier of yield aggregators keeps shipping code where a single strategy contract can lie to a parent about how much money it holds. Summer.fi joined that second tier on Monday.
There is no equity holder in this loss. The DAI is gone, the attacker is on-chain, the vault contracts are frozen, and the team's Discord is full of users asking whether their principal is safe. The best-case outcome is a governance vote in the next fortnight that reimburses depositors out of the treasury. The worst case is a partial refund and a legal complaint from a large yield farmer.
The vaults remain paused as of Monday evening UTC. Summer.fi has not committed to a restart timeline.