Summer.fi has reportedly been exploited, with roughly $6 million drained so far. Blockaid flagged the exploit in a post on X on Monday.
The security firm published the attacker’s address, the exploit contract, and the affected Lazy Summer contracts.
Blockaid said its detection system surfaced the incident on Monday morning, estimating about $6 million in losses at that stage. The firm highlighted the on-chain addresses associated with the attack.
Security firm PeckShield identified the main affected vault as LazyVault_LowerRisk_USDC (LVUSDC), which Block Analitica risk-manages. The firm said that the vault’s displayed APY briefly spiked to about 2.08 million %.
“The largest current holder is 0x8741e8f…4130, which appears to be associated with Torben Jorgensen (UDHC), and has deposited ~8.6M USDC into this vault,” the post read.
Follow us on X to get the latest news as it happens
#PeckShieldAlert @summerfinance_ has been exploited for $6M ethereum:0x6b175474e89094c44da98b954eedeac495271d0f pic.twitter.com/VEPF5HUgvH
— PeckShieldAlert (@PeckShieldAlert) July 6, 2026
Summer.fi, formerly Oasis.app, is the front-end for the Lazy Summer Protocol, an onchain vault system that automatically routes deposits across DeFi yield sources like Aave and Morpho.
The network’s native token SUMR traded near $0.00193, down 5.3% over 24 hours. The move diverged from the broader market, which rose more than 1% on the day.
The incident marked the second crypto exploit recorded in July, according to DeFiLlama. It follows a series of attacks in June, when crypto platforms lost $75.87 million across 40 hacks, with the Humanity Protocol breach accounting for the largest loss.
BeInCrypto has reached out to Summer.fi for comment. This is a developing story.
Subscribe to our YouTube channel to watch leaders and journalists provide expert insights