On July 6, the DeFi protocol Summer.fi was hacked, as announced by the project team.

We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.

We will provide more updates as we have them.— Summer.fi ☀ (@summerfinance_) July 6, 2026

The exact amount of the loss and technical details of the attack have not been disclosed by the developers.

According to Cyvers, the attacker exploited a vulnerability in the asset share accounting mechanism and manipulated prices. They then exchanged the stolen $6 million for DAI stablecoins and transferred them to their own address.

CertiK reported that the attacker used a flash loan of $65.4 million to temporarily inflate the funds in the protocol and initiated a withdrawal of approximately $70.9 million. The profit amounted to about $6 million, which went to the hacker.

This manipulation affected the asset accounting system in Lazy Summer, which automatically redistributes user deposits among lending platforms.

1/ Attacker was able to redeem $70.9M following $64.8M deposit thanks to manipulation of FleetCommander's accounting of totalAssets() on a host of vaults, particularly Silo: Varlamore USDC Growth, which the attacker had accumulated beforehand and donated to the Ark in between. pic.twitter.com/x2eeKlWy3n— CertiK Alert (@CertiKAlert) July 6, 2026

Experts emphasized that the vulnerability was related to the distortion of the totalAssets() metric in the FleetCommander smart contracts, which manage the vaults. Additionally, the Ark contract, which connects the protocol to external lending services, influenced the scheme.

It is worth noting that in June, losses from crypto hacks decreased to $75.9 million, with 40 incidents recorded. The largest was the attack on Humanity Protocol, which resulted in a loss of $31 million.

In the second quarter, the number of exploits reached 83, the highest ever recorded.