According to blockchain security firm Blockaid, DeFi yield-optimization protocol Summer Finance was exploited for $6 million early Monday. Security analysts, including CertiK, determined that the attacker used a $65.4 million flash loan to obtain a $70.9 million redemption by manipulating the Lazy Summer Protocol's vault accounting.
The exploit targeted FleetCommander's calculation of totalAssets() across multiple vaults, allowing the attacker to distort the relationship between deposits, shares, and redemptions. The stolen funds were converted to DAI stablecoins and transferred to an attacker-controlled address. Summer Finance had not confirmed the breach through official channels as of the analyst reports.