Site icon AMBCrypto

Summer.fi reveals months-long preparation behind $6M DeFi exploit

Summer.fi reveals months-long preparation behind $6M DeFi exploit

Summer.fi reveals months-long preparation behind $6M DeFi exploit

Summer.fi has published a detailed post-mortem on the $6.04 million exploit that drained two of its Lazy Summer Protocol USDC vaults. It concludes that the attack was planned months in advance rather than being an opportunistic flash loan exploit.

The report says the attacker spent roughly three months accumulating the assets needed to manipulate the protocol. The exploit was executed in a single atomic transaction on July 6

It also argues that the root cause was an operational issue during the offboarding of an old strategy rather than a flaw in the protocol’s smart contracts.

Attack exploited incomplete offboarding process

According to the post-mortem, the attacker manipulated the net asset value [NAV] of two USDC vaults. Stale-valued Silo vault tokens were donated into an Ark that had been capped during an offboarding process. However, the Ark remained included in the vault’s NAV calculations.

That artificially inflated the vault’s share price, allowing the attacker to redeem shares at an inflated value. The attacker then withdrew approximately $6.04 million in USDC from the protocol’s liquid positions. 

The losses were split between the Lower Risk USDC Vault, which lost about $5.64 million, and the Higher Risk USDC Vault, which lost roughly $400,000.

Summer.fi stressed that the exploit was not caused by compromised private keys, administrative privileges, or a coding bug. Instead, it said the affected contracts behaved as designed.

Still, an impaired Ark remained active in the vault’s accounting after its deposit cap had been set to zero.

Preparation began months before the exploit

The report also challenges the early narrative that the exploit was simply a flash loan attack.

Summer.fi said blockchain evidence indicates the attacker funded multiple wallets around three months before the incident. The attacker then gradually accumulated stale-valued Silo vault tokens, which were later used to inflate the vaults’ NAV. 

The flash loans primarily provided temporary liquidity for the final transaction rather than creating the vulnerability itself.

The protocol also addressed a widely shared screenshot showing an annual percentage yield of roughly 2.08 million%. It explains that the figure resulted from a one-block spike in the vault’s reported NAV and did not represent actual investment returns.

Protocol paused as governance weighs next steps

Following the exploit, all Lazy Summer Protocol vaults were paused, and deposit caps were reduced to zero while the incident was investigated.

The report said governance must now decide how to handle the affected vaults, whether to compensate users, and when unaffected vaults can safely resume operations.


Final Summary


 

Exit mobile version