A $6 million drain on Summer.fi’s automated vaults has put the industry on notice: smart contract bugs are no longer the biggest threat – the code that rebalances your money without asking might be.
Blockaid flagged the exploit on July 6, estimating roughly $6 million had already left the protocol. The security firm posted the exploit transaction, the attacker’s address, and the specific contracts involved – both Summer.fi and its Lazy Summer protocol were hit. The on-chain record shows a successful Ethereum transfer at 05:17:59 UTC.
Summer.fi acknowledged the incident hours later. Protocol guardians froze all vaults across Lazy Summer while the team investigates the root cause. The final loss figure and the exact vulnerability remain unconfirmed pending a fuller review.
The exploit targets a design feature many depositors never see.
Summer.fi’s Lazy Vaults – also called Fleets – are supposed to be set-and-forget. They auto-rebalance using a layered system: a Fleet Commander handles deposits and allocation; ARKs run the yield strategies; RAFT harvests and compounds rewards. A Keeper AI Agent can shift assets between ARKs within governance-set limits.
That chain of trust is exactly where the attack landed. A depositor relies on share accounting, strategy contracts, keeper logic, governance caps, and emergency brakes – all moving capital without manual approval.
The incident follows a brutal quarter for DeFi security. CryptoSlate’s own analysis pegged total known hack losses at $780.3 million in Q2 alone. The pattern is shifting: flash loans and bridge exploits are fading, but logic bugs – especially in automated systems – are harder to contain.
For now, users should watch for Summer.fi’s post-mortem. The protocol has audits and an Immunefi bounty on record, but this event shows that “audited” and “safe” are not the same thing when automation is the attack surface.
SummerFi loses $6M from automated vault glitch, exposing risks in hands-off crypto funds
SummerFi’s automated deposit funds were drained of about $6 million due to a weakness in the software that manages asset shifts without user approval. This affects depositors who trusted the system to safely handle their money and raises concerns over hidden risks in automated crypto services.