On Monday morning, Summer.fi, a multi-chain protocol previously known as Oasis.app, experienced a significant security breach. A flash loan attack resulted in the loss of approximately $6 million in DAI stablecoins from its automated vaults.

Details of the Attack

The attacker executed a massive flash loan valued at $65.4 million to manipulate liquidity within the "LazyVault_LowerRisk_USDC" pool. This vault had positioned itself as a low-risk investment, monitored by Block Analitica for security.

During the attack, the algorithms governing the pool experienced a critical malfunction. This malfunction caused the annual percentage yield (APY) to spike to nearly 2,080,000%, creating a window for the hacker to withdraw user funds before the anomaly was corrected.

Security Firms Respond

The hack was swiftly identified by leading blockchain security companies, including Blockaid, PeckShield, and CertiK. The vault affected by the attack is known by the username @summerfinance_ and specifically pertains to the LazyVault_LowerRisk_USDC (LVUSDC), which was meant to be risk-managed by @BlockAnalitica. The displayed APY reached an unprecedented level prior to the withdrawal.

Background of Issues at Summer.fi

This incident marks another challenge within the multichain infrastructure of Summer.fi, which operates across Ethereum, Base, and Arbitrum. Over the previous year, the protocol has dealt with various issues, including frozen withdrawals due to the USDX stablecoin's depegging, a near-attack involving the rsETH project, and a thwarted governance proposal that could have exploited outdated permissions.

The ongoing difficulties facing Summer.fi reflect broader vulnerabilities in the DeFi landscape, as protocols continue to grapple with security risks and operational challenges. This latest attack emphasizes the crucial need for enhanced security measures in decentralized finance.