BTC
ETH
HTX
SOL
BNB
View Market
简中
繁中
English
日本語
한국어
ภาษาไทย
Tiếng Việt

Summer.fi: Lazy Summer Attack Exploited NAV Mechanism, Not a Contract Vulnerability

2026-07-08 00:22

Odaily reports that Summer.fi has published an analysis report on the Lazy Summer Protocol USDC Vault attack incident. On July 6, the attacker manipulated the share prices of two USDC vaults in a single atomic transaction, extracting approximately $6.04 million in depositor funds. The report states that the attack involved the calculation method of the vault's Net Asset Value (NAV).

The attacker donated tokens that still retained their old valuations to a Silo Ark that had been paused but not fully removed after an incident in November 2025. This caused the vault's total assets to be inflated by approximately 9.5%, artificially raising the share price. The attacker then redeemed shares at this inflated price and withdrew funds from the vault's real liquidity. The report emphasizes that this attack was not a contract code vulnerability, but rather a missing step in the vault's decommissioning process. The Ark's deposit limit had been set to zero, but it was still being included in the NAV calculation as part of the active asset set.