The Summer.fi team has announced the cessation of operations following a hack that resulted in a loss of $6.04 million. The user interface will remain accessible until August 31, while the future of the protocol will be determined by its governing DAO.

After 7 amazing years building in DeFi, the recent exploit on the Lazy Summer Protocol has forced us into the very difficult decision to wind down https://t.co/ccpDrJSnsA and sunset the UI.
We want to thank all our users, the community and supporters - you made it worthwhile.

— Summer.fi ☀ (@summerfinance_) July 15, 2026

“We have concluded that there is no viable path forward other than to cease operations,” the developers stated.

Summer.fi has been operational for about seven years. The team spent two years as part of the Maker Foundation before becoming an independent project in June 2021. During this time, over 50,000 users utilized the services of Oasis.app and Summer.fi.

The total value locked in the Lazy Summer Protocol reached $200 million in its first nine months. By the time of the attack, this figure had dropped to approximately $22 million, according to DefiLlama.

Source: DefiLlama.

On July 6, the attacker manipulated the net asset value of two USDC vaults in the Lazy Summer Protocol on the Ethereum network, withdrawing around $6.04 million in a single atomic transaction. The lower-risk vault lost about $5.64 million, while the higher-risk product lost approximately $400,000.

The attack exploited tokens from the Silo Varlamore USDC Growth vault, which had outdated valuations. These tokens were included in the Ark strategy, which had already been decommissioned. Although the deposit limit for Ark was set to zero, the strategy was not removed from the active FleetCommander set, allowing its assets to still be counted in the net asset value calculations.

A key condition for the attack was an unfinished operational process: Ark was in the process of being shut down but still affected asset valuation. The team did not identify any specific errors in the smart contract code.

The attacker took advantage of this to artificially inflate asset valuations and extract real liquidity from other strategies, including Morpho, Spark, and Sky. To execute the operation, they utilized flash loans exceeding $65 million.

According to the team, preparations began no later than April 6. Wallets associated with the attacker gradually accumulated Silo tokens, which were later used for manipulation. After repaying the flash loans, the attacker converted the profits into DAI, with some funds later routed through Tornado Cash using an intermediary wallet.

The developers reported that a significant portion of the team's own funds was held in the affected vaults. The financial losses depleted the project’s reserves necessary for recovery, infrastructure support, and continued operations.

Following the attack, all vaults in the Lazy Summer Protocol were paused, and deposit limits in DAO-managed products were set to zero. The organization is conducting the necessary procedures to resume withdrawals and redeem shares across all vaults, including the two affected ones.

Once the relevant functions are restored, they will be available in the Summer.fi interface. The project’s support service and Discord will continue to operate until the end of August.

Aave founder Stani Kulechov described Summer.fi as one of the pioneers in DeFi.

“This shows how high the stakes and costs are in creating a quality and secure access point to DeFi. A lot has happened in seven years, and it has been a great journey for the team,” he wrote.

The closure of Summer.fi comes shortly after a similar decision by the DeFi service Zapper, which cited challenging market conditions and an unsustainable business model.

It’s worth noting that in the first half of the year, crypto projects lost around $972 million due to 207 incidents, according to Immunefi.