On July 6, an exploit caused a loss of approximately $6 million from Summer.fi's Lazy Summer USDC vault. This breach was significant, affecting nearly 20% of the platform's total value locked (TVL) of $34.8 million. The attack was financed by a flash loan procured from Morpho and involved transactions routed through platforms including Uniswap, Curve, and Balancer.

Details of the Exploit

The breach was identified by on-chain security firms Blockaid and PeckShieldAlert, who reported that the vault's advertised yield had spiked dramatically to over 2 million percent just before the attack. Blockaid's systems detected the exploit in real-time, indicating losses were ongoing as the transactions progressed. They provided detailed information regarding the exploit, including the attacker's wallet and specifics of the contracts involved.

The primary target was a specific vault named LazyVault_LowerRisk_USDC, with the ticker LVUSDC, which is managed by BlockAnalitica. Following the incident, it was noted that the largest vault holder appeared to be linked to Torben Jorgensen, according to PeckShieldAlert.

Mechanism of the Attack

The strategy employed in this attack involved a donation-based inflation mechanism against an ERC-4626 vault. According to reports from BlockTempo, the attacker deposited a small amount of tokens directly into the vault, manipulating the asset-to-share ratio and inflating share prices. This allowed the attacker to redeem a greater value than the original deposit.

The operation utilized a flash loan from Morpho where the loan is taken out and repaid within the same transaction facilitating trades through established protocols such as Uniswap, Curve, and Balancer. Although the amount taken was relatively minor compared to larger breaches in the cryptocurrency space, it represented a significant setback for Summer.fi.

Summer.fi's Response

In the aftermath of the attack, Summer.fi has paused all Lazy Summer vault activities and is conducting a thorough investigation to determine the exploit's underlying causes. The platform aims to enhance its security measures to prevent future breaches.