Summer Finance, a DeFi platform offering institutional vault infrastructure, confirmed a $6 million exploit of its Lazy Summer USDC vault on July 6. The loss represents just over a quarter of the vault's total value locked before the attack, according to DeFiLlama data.
Blockchain security auditor BlockSec identified the mechanism: the attacker accumulated large quantities of deprecated vgUSDC tokens at minimal cost, then executed a share-price distortion attack to withdraw USDC from the vault. Price manipulation exploits of this type target the calculation methods vaults use to determine token redemption rates, allowing attackers to extract more collateral than their deposit weight should permit.
The vault is managed by risk advisor Block Analitica. Summer Finance halted vault operations while investigating and sent an on-chain message to the exploiter requesting contact. The team has not yet disclosed whether recovery negotiations are underway or whether vault users will face haircuts on their deposits.
Broader vulnerabilities exposed
The Summer Finance incident arrived amid a string of security failures across DeFi infrastructure. On the same day, an unlucky Uniswap trader lost approximately $2 million when their transaction routed through an illiquid v3 pool, with a back-running MEV bot claiming $1.8 million as a tip to TitanBuilder, according to security firm Decurity.
More alarming: blockchain security firm Hexens disclosed a bug in the Aptos Move VM that it estimates "put up to $70 billion at systemic risk." Hexens described it as a type-confusion vulnerability at the execution layer, with a roughly 90% success rate across simulated runs on a 30-validator test cluster. The cost to build attack infrastructure was $3,000. Polygon CTO Mudit Gupta called it "the worst kind of bug possible," noting the "arbitrary state write bug" threatens "most assets across all chains." Aptos developers were not identified in the source material as having responded publicly at the time of disclosure.
These incidents underscore a persistent problem in DeFi: the gap between institutional-grade safety expectations and the actual resilience of protocols handling billions in user funds. Summer Finance's pause is precautionary, but the damage to user confidence and the remaining operational questions about recovery timelines will likely shape how institutional capital allocates to DeFi vaults in the coming months.