Summer.fi pauses vaults after $6 million flash loan exploit on USDC accounting logic

Summer.fi said it paused all Lazy Summer vaults after an exploit that the project’s own post-mortem said drained about $6.04 million from its USDC vault accounting system. In its official post-mortem, the project described the incident as an NAV and accounting manipulation rather than a broader shutdown of the protocol.
According to the available reporting, the attack used a flash loan to manipulate the vault’s accounting logic, temporarily inflating assets so the attacker could redeem more value than was legitimately deposited. Summer.fi said the Guardian multisig paused the affected Lazy Summer vaults to limit additional losses while the investigation continued.
Secondary coverage also said the incident was first flagged by blockchain security firms, including Blockaid, with PeckShield and CertiK later reporting suspicious activity. Those reports pointed to the same basic mechanism: a flash loan-driven manipulation of the USDC vault logic, followed by a profitable redemption.
The available sources indicate the exploit affected Lazy Summer, Summer.fi’s automated yield system that routes deposits across lending markets, but they do not fully settle every detail of the fund flow or the final destination of the stolen assets. Additional confirmation remains pending as the post-mortem and outside security reports continue to develop.
Some third-party coverage said the protocol’s SUMR token fell after the incident, but the exact market impact should be treated cautiously unless the project or market data source confirms the move directly.
For now, the clearest confirmed update is that Summer.fi has paused the vaults linked to the incident while it reviews the accounting failure and what comes next for affected users.






