Summer.fi: Lazy Summer Exploit Stemmed from Exploitation of NAV Mechanism, Not a Contract Vulnerability
Odaily Planet Daily News Summer.fi has released an analysis report on the attack on the Lazy Summer Protocol USDC Vault. On July 6, the attacker manipulated the share prices of two USDC vaults in a single atomic transaction, extracting approximately $6.04 million in depositor funds. The report states that the attack involved the method of calculating the Net Asset Value (NAV) of the vaults.
The attacker donated tokens, which still retained their old valuation, to a Silo Ark that had been paused but not fully removed after an incident in November 2025. This caused the total assets of the vault to be inflated by approximately 9.5%, artificially raising the share price. The attacker then redeemed shares at this inflated price and withdrew funds from the vault's real liquidity. The report emphasizes that the attack was not due to a vulnerability in the contract code, but rather a missing step in the vault decommissioning process. The deposit limit for this Ark had been set to zero, but it was still included in the NAV calculation of the active asset set.
