Summer Finance has reported a security breach resulting in a loss of $6 million, attributed to the exploitation of a flash loan and manipulation of vault accounting. Onchain analysts flagged the incident, which occurred early Monday, and various security firms are currently investigating the exploit.

Details of the Exploit

Blockchain security firm Blockaid indicated that approximately $6 million was drained from Summer Finance due to the attack. Following this, Cyvers revealed that the attacker manipulated share-accounting systems and liquidity via price alterations. The stolen assets were promptly converted into DAI and transferred to a wallet controlled by the attacker.

In a detailed analysis, CertiK disclosed that the exploitation involved a $65.4 million flash loan which allowed the attacker to redeem $70.9 million after distorting accounting within the Summer Finance vaults. The exploit specifically targeted FleetCommander and several connected vaults, highlighting vulnerabilities in the accounting processes used.

Execution of the Attack

The attacker utilized a comprehensive strategy to siphon off the funds. Crypto trader Crypto Jargon categorized the incident as a traditional flash loan attack. This involved borrowing funds, subsequently manipulating liquidity on Curve pools and Morpho, and ultimately withdrawing around $6 million. Remarkably, the loan was repaid within the same transaction, thereby minimizing risk for the attacker.

CertiK provided insights that the attacker was able to redeem their large returns due to the prior manipulation of FleetCommander’s accounting system, particularly in vaults like Silo: Varlamore USDC Growth. The attack exemplifies significant weaknesses in DeFi protocols where accounting discrepancies can be exploited within the ecosystem.

Current Status

As of now, Summer Finance has not issued an official statement regarding the breach. Security firms remain engaged in thorough analysis to determine the full extent of the incident and potential vulnerabilities in the protocol.