Crypto attackers have drained around $6 million from Summer.fi‘s Lazy Summer protocol on July 6, exploiting a USDC vault whose advertised yield briefly jumped past 2 million percent, according to on-chain security firms Blockaid and PeckShieldAlert. Blockaid wrote on X that its exploit detection system had identified the exploit when it was ongoing.
The security firm stated then that about $6 million had been “drained so far” while the transactions were still moving. A follow-up post from Blockaid published the exploit transaction, the crypto attacker’s wallet, the exploit contract, and the list of affected Lazy Summer contracts. The target was a single vault that PeckShieldAlert identified as LazyVault_LowerRisk_USDC, ticker LVUSDC, a strategy risk-managed by the firm BlockAnalitica. According to PeckShieldAlert, “LVUSDC’s displayed APY briefly spiked to ~2.08M%,” and added that the largest holder of the vault after the exploit “appears to be associated with Torben Jorgensen.”
Crypto scammers steal $6M from Summer.fi
According to BlockTempo, which cited Blockaid’s timing of 05:17, the crypto attacker ran a donation-based inflation attack against an ERC-4626 vault. The ERC-4626 standard is the default interface for vaults that issue shares against deposited tokens, and it calculates share price based on the ratio of assets held to shares outstanding.
If an attacker donates a small amount of tokens directly into the vault, they could theoretically distort that ratio and push the price of a single share far above its fair value, then redeem for more than they put in. BlockTempo reported that the operation was funded by a flash loan taken from Morpho, a loan borrowed and repaid inside one transaction, with the trades routed through Uniswap, Curve, and Balancer. The exploited figure is modest by the standards of crypto’s largest breaches, but it is large relative to Summer.fi‘s size.
The protocol has around $34.8 million in total value locked, most of it on Ethereum, and over $32.4 million is on Ethereum, per Defillama data. The $6 million drain is close to a fifth of the platform’s assets, which is substantial. Summer.fi markets itself as a yield aggregator that lets users “borrow, multiply and earn” across lending venues, with the Lazy Summer vaults routing deposits into strategies built on protocols such as Morpho. Q2 2026 saw the most attacks on record by incident count, with over 83 separate exploits.
That quarter was characterized by many smaller drains, and share-price and accounting manipulations sit alongside bridge flaws and admin-key theft as recurring vectors. Summer.fi has acknowledged the attack, writing on X, “We are aware of the reported exploit a little earlier today and are investigating the root cause. The protocol guardians are currently pausing all Vaults across the Lazy Summer Protocol.” The team states that they will provide more updates as they come.

