Summer.fi reveals months of preparation for a $6 million DeFi exploit


Summer.fi published a detailed post-mortem report on $6.04 million Exploitation that drained the two of her Lazy Summer Protocol USDC Vaults. He concludes that the attack was planned months in advance and was not merely an opportunistic quick loan exploit.

The report says the attacker spent nearly three months amassing the assets needed to manipulate the protocol. The exploit was executed in a single atomic transaction on July 6.

It also argues that the root cause was an operational issue during the implementation of an outdated strategy and not a bug in the protocol’s smart contracts.

The attack exploited an incomplete logout process

According to the autopsy, the attacker Manipulating the net asset value (NAV) of two USDC vaults. Silo vault tokens of ancient value were donated to the ship which was covered during the checkout process. However, the ship remained included in the vault’s net asset value calculations.

This artificially inflated the vault’s stock price, allowing the attacker to redeem shares at an inflated value. Then the attacker almost retreated $6.04 million in USDC From the fluid positions of the protocol.

The losses were distributed among Low-risk USDC Vault, which lost about $5.64 millionand High-risk USDC Vault, which lost nearly $400,000.

Summer.fi stressed that the exploit was not due to compromised private keys, administrative privileges, or a coding error. Instead, it said the affected contracts behaved by design.

However, the weak ship remained active in vault accounting after its deposit cap was set to zero.

Preparation began months before the exploit occurred

The report also challenges the early narrative that the exploit was just a flash loan attack.

Summer.fi said blockchain evidence suggests so The attacker funded multiple wallets about three months before the incident. The attacker then gradually accumulated old value Silo vault tokens, which were later used to inflate the net asset value of the vaults.

Flash loans primarily provided temporary liquidity for the final transaction rather than creating the vulnerability itself.

The protocol also addressed a widely shared screenshot showing approximately an annual percentage return 2.08 million%. He explains that this figure resulted from a one-block rise in the vault’s reported net asset value and did not represent actual investment returns.

The protocol has been paused while management considers next steps

Following this exploit, all Lazy Summer Protocol vaults were temporarily suspended, and maximum deposits were reduced to zero while the incident was investigated.

The report said the administration must now decide how to deal with affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.


Final summary

  • Summer.fi said the $6.04 million exploit was planned over several months and arose from an incomplete operation to take out the vault.
  • The protocol has paused all vaults while management considers compensation, remediation and safe reopening of unaffected markets.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *