Summer.fi Lazy Summer attack is not a contract vulnerability, but rather an exploitation of the NAV mechanism

By: rootdata|2026/07/08 00:42:08
0
Share
copy

Summer.fi released an analysis report on the Lazy Summer Protocol USDC treasury attack incident. The attacker manipulated the prices of two USDC treasury shares in a single atomic transaction, extracting approximately $6.04 million of depositor funds. The core of the attack lies in the calculation method of the treasury's net asset value (NAV).

The attacker donated tokens that still retained the old valuation to a Silo Ark that had been suspended after the incident in November 2025 but had not yet been completely removed, resulting in an inflated total asset value of approximately 9.5%, raising the share price, which was then redeemed at an inflated price and withdrawn from the treasury's actual liquidity. The report emphasizes that this attack was not due to a contract code vulnerability, but rather a missing link in the treasury's offline process—the deposit limit for that Ark had been set to zero, yet it was still counted in the NAV of active assets.

The attacker premeditatedly accumulated the required tokens three months in advance through multiple wallets and transferred part of the profits via Tornado Cash. After the incident, Guardian Multisig has suspended all on-chain treasuries and set the deposit limit to zero. The Lazy Summer DAO will discuss compensation plans for affected users and the treasury restart plan in the coming days.

You may also like

Morning News | SK Hynix officially launches the marketing promotion process for its U.S. stock listing; the Central Cyberspace Administration announces the results of the first phase of rectifying AI application chaos, with over 14,000 non-compliant pr...

July 6 Market Important Events Overview

How has Binance's stock business performed in the 30 days since its launch?

Emerging market buying supported the first wave of demand.

Blockchain Capital Partner: AI is rewriting the fundamental unit of labor

The rise of AI is rewriting the basic unit of labor from "positions" and "companies" to "tasks." When programmable labor meets programmable currency, a production line without companies, salary systems, or HR becomes possible for the first time.

Can Open USD support Stripe's ambitions?

Stripe collaborates with multiple parties to launch OUSD, not only challenging the dominance of USDC but also exposing its trillion-dollar ambition to transition from a "payment interface" to a "next-generation funds settlement network."

Founder of Baixing.com: I believe half of the statement that large language models devour everything

The internet has been shouting for so many years about devouring everything. Has it really devoured everything now? Is it the internet that devours everything, or is it the large models that devour everything? Both are devouring, and nothing is left?

A "legal" robbery? Attackers emptied the BonkDAO treasury by buying tickets

Handing over the keys to the vault to a public vote where "anyone can spend money to participate," without sufficient oversight mechanisms, even the most legitimate governance ideals may turn into the most convenient tools for attackers.

Popular coins

Latest Crypto News

Read more
iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com