Summer Finance—a yield aggregation and automated vault management platform formerly known as Oasis.app—has fallen victim to an exploit that drained roughly $6 million in DAI tokens. The incident, which surfaced on July 6, 2026, on the Ethereum blockchain, has prompted security researchers and on-chain analysts to identify a sophisticated flash loan attack as the likely mechanism.
Summer Finance specializes in optimizing yields for users through smart contract-based vaults that allocate capital across lending protocols and liquidity pools.
Its “Lazy Summer Protocol” vaults, in particular, came under fire during the attack.
Blockchain security firms including Blockaid, PeckShield, and CertiK quickly flagged the ongoing drain, with Blockaid estimating the loss at around $6 million in DAI withdrawn from affected contracts.
#PeckShieldAlert @summerfinance_ has been exploited for $6M ethereum:0x6b175474e89094c44da98b954eedeac495271d0f pic.twitter.com/VEPF5HUgvH
— PeckShieldAlert (@PeckShieldAlert) July 6, 2026
Crypto analysts describe the exploit as a classic flash loan liquidity manipulation scheme executed within a single atomic transaction.
The attacker reportedly borrowed approximately $65.4 million through a flash loan from Morpho, a decentralized lending protocol.
These uncollateralized loans must be repaid within the same blockchain transaction or the entire operation reverts, allowing sophisticated actors to temporarily access massive liquidity without upfront capital—beyond gas fees.
Using the borrowed funds, the attacker appears to have distorted liquidity ratios in Curve’s DAI/USDC pools and routed through Morpho to manipulate accounting and share-price calculations inside Summer Finance’s vaults.
This created artificial discrepancies that the protocol’s smart contracts interpreted favorably for the attacker, enabling the extraction of roughly $6 million in profit.
Once the funds were secured, the flash loan was repaid, and the transaction finalized cleanly.
Security experts note that the vulnerability likely stemmed from assumptions in the vault’s accounting logic and liquidity handling that did not adequately account for rapid, large-scale manipulations possible with flash loans.
No evidence suggests compromised private keys or administrative privileges were involved; the attack relied purely on economic and smart-contract logic flaws.
In response, Summer Finance’s protocol guardians paused all vaults to contain further damage.
Deposits into the affected Lazy Vaults were also disabled through integrations such as DeFi Saver.
As of the latest reports, the team has not yet issued a formal public statement, though investigations by security firms continue.Flash loan attacks have become a recurring challenge in DeFi.
By leveraging temporary, massive liquidity without collateral, attackers can amplify small pricing, accounting, or oracle discrepancies into significant losses.
Historical precedents include major incidents at protocols like Euler Finance and others, underscoring the persistent difficulty of securing complex, interconnected DeFi systems against such vectors.
The Summer Finance exploit adds to a challenging year for the sector, with multiple high-profile incidents already reported in 2026.
It serves as a reminder that even audited or seemingly robust yield-optimization platforms remain exposed to creative on-chain attacks when their internal assumptions about liquidity and pricing are challenged in novel ways.
While the full technical post-mortem is still emerging, the rapid detection by monitoring tools from firms like Blockaid highlights improving real-time security capabilities in the ecosystem. As always in these types of cases, users are advised to monitor official channels from Summer Finance for updates on fund recovery efforts or DeFi protocol upgrades.