BTC
ETH
HTX
SOL
BNB
ดูตลาด
简中
繁中
English
日本語
한국어
ภาษาไทย
Tiếng Việt

Summer.fi: Lazy Summer Attack Stemmed from Exploitation of NAV Mechanism, Not a Contract Vulnerability

2026-07-08 00:22

Odaily News Summer.fi released an analysis report on the Lazy Summer Protocol USDC Vault Attack. On July 6, the attacker manipulated the share prices of two USDC vaults in a single atomic transaction, extracting approximately $6.04 million in depositor funds. The report states that the attack involved the calculation method of the vaults' Net Asset Value (NAV).

The attacker donated tokens, which still retained their old valuation, to a Silo Ark that had been paused but not completely removed following an incident in November 2025. This caused the vault's total assets to be inflated by approximately 9.5%, artificially raising the share price. The attacker then redeemed shares at this inflated price and withdrew funds from the vault's real liquidity. The report emphasizes that this attack was not due to a code vulnerability in the contract, but rather a missing step in the vault's decommissioning process. The deposit cap for this Ark had been set to zero, yet it was still being included in the NAV calculation of the active asset set.