Summer.fi Loses $6M to Known ERC-4626 Exploit, Pauses Lazy Summer Vaults

What You Need to Know
- $6 million drained from Summer.fi’s Lazy Summer protocol via ERC-4626 share-price manipulation on July 6.
- Attack used Morpho flash loan routed through Uniswap, Curve, and Balancer to artificially inflate vault share prices.
- Blockaid and PeckShieldAlert detected the exploit mid-transaction; Summer.fi paused all Lazy Summer vaults pending investigation.
- Q2 2026 recorded 83 separate exploits, highest quarterly count on record, with share-price manipulations among recurring attack types.
A donation-based inflation attack drained roughly $6 million from Summer.fi‘s Lazy Summer protocol on July 6, targeting a single USDC vault whose displayed APY briefly spiked to approximately 2.08 million percent before on-chain security firms Blockaid and PeckShieldAlert flagged the transactions mid-flight. Summer.fi has since acknowledged the exploit and paused all Lazy Summer vaults while investigating the root cause.
The attack vector, an ERC-4626 share-price manipulation funded by a Morpho flash loan and routed through Uniswap, Curve, and Balancer, is a known class of exploit rather than a novel one. ERC-4626 vaults calculate share price from the ratio of assets to shares outstanding, which means a direct token donation can artificially inflate that ratio before any legitimate depositor can react. The pattern has appeared repeatedly since ERC-4626 became a standard building block for yield aggregators, and the flash loan wrapping makes it executable and repayable in a single atomic transaction, leaving almost no window for intervention. Blockaid’s detection system flagged the attack while it was still in progress, which is the right outcome for monitoring infrastructure, but the vault itself had no circuit breaker that could act fast enough.
Six million dollars is modest against the headline exploits, but it represents close to a fifth of Summer.fi’s total value locked of approximately $34.8 million, which is a structurally significant share for a protocol of this size.
The broader context is that Q2 2026 logged over 83 separate exploits, the highest incident count on record for a single quarter, with share-price and accounting manipulations listed alongside bridge flaws and admin-key theft as recurring attack types. That pattern reflects a maturing exploit economy where attackers are increasingly targeting mid-tier DeFi protocols with well-understood mechanics rather than chasing the complexity of large bridge or cross-chain attacks. For yield aggregators specifically, the risk compounds because they layer multiple protocols together: the Lazy Summer vaults route deposits through strategies built on Morpho, meaning a flaw at the vault accounting layer can drain capital that users believed was diversified. Other aggregators using ERC-4626 as a base standard should treat this as a live audit prompt, not a background event.
Summer.fi has stated it will provide further updates as its investigation continues, and the protocol guardians are currently holding all Lazy Summer vaults in a paused state.
0 Comments