DeFi yield optimization protocol Summer Finance suffered a $6 million attack through an accounting flaw in its automated vault management system. The attacker used a $65.4 million flash loan to manipulate Fleet Commander’s asset calculation and secured a $70.9 million redemption. The protocol has not yet officially confirmed the incident.
Attack on Summer Finance
According to on-chain analysts, DeFi yield optimization protocol Summer Finance was hit by a $6 million attack. Blockaid detected the breach early Monday morning. Security firms including Cyvers and CertiK later shared technical details of the incident.
The protocol, also known as Summer.fi, automatically allocates and rebalances user deposits across various high-yield lending platforms through AI-powered keepers. These automated yield strategies have become more popular in DeFi recently. However, the complex smart contract structures that connect multiple protocols also create new attack surfaces for exploiters.
How did the attack happen?
According to Cyvers, the attacker targeted a share accounting flaw through price manipulation. The stolen $6 million was converted into the DAI stablecoin and transferred to an address controlled by the attacker. In these types of attacks, rapidly converting funds into stablecoins and moving them elsewhere is a common method used to make tracking more difficult.
The details shared by CertiK show more clearly how the attack was structured. The attacker used a $65.4 million flash loan and manipulated how Summer.fi’s Lazy Summer Protocol calculated total assets in its vaults. As a result, the attacker managed to receive a $70.9 million redemption, withdrawing far more than the amount initially deposited into the system.
According to CertiK, the attacker manipulated Fleet Commander’s totalAssets() calculation across multiple vaults, especially the Silo: Varlamore USDC Growth vault, where they had previously accumulated funds and made intermittent donations to Ark. This allowed the attacker to withdraw $70.9 million after making a $64.8 million deposit. Fleet Commander is defined as the smart contract that manages the vaults, while Ark is described as the contract that connects a vault to a lending protocol.
Why did the flash loan mechanism work?
Flash loans provide millions of dollars in unsecured liquidity, as long as the loan is borrowed and repaid within the same transaction. This allows attackers to temporarily disrupt a protocol’s pricing or accounting logic without needing large amounts of capital of their own.
In this case, the attacker appears to have manipulated Fleet Commander’s total asset calculation for each vault through a real-time donation mechanism. This caused the system to think it held more assets than it actually did. As a result, the attacker was able to request a redemption amount that would not normally have been possible.
These types of share accounting flaws are not new in DeFi. In vault-based protocols, total asset calculations often rely on price feeds or balance checks that can be manipulated externally. This continues to create repeated opportunities for attackers in similar scenarios.



