PANews|7月 08, 2026 00:20
[Summer.fi: The Lazy Summer attack was not a contract vulnerability but an exploitation of the NAV mechanism]
Summer.fi has released an analysis report on the Lazy Summer Protocol USDC vault attack incident. On July 6, the attacker manipulated the share prices of two USDC vaults in a single atomic transaction, extracting approximately $6.04 million of depositor funds. The core of the attack lies in the calculation method of the vault's Net Asset Value (NAV). The attacker donated tokens with outdated valuations to a Silo Ark that had been suspended after an event in November 2025 but not fully removed. This caused the total assets of the vault to be artificially inflated by about 9.5%, leading to an increase in share prices. The attacker then redeemed at the inflated prices and withdrew from the vault's actual liquidity. The report emphasizes that this attack was not due to a vulnerability in the contract code but rather a missing step in the vault decommissioning process—the deposit cap for this Ark had been set to zero, but it was still included in the active asset pool and factored into the NAV.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink