Summer Finance suffered a $6 million exploit after attackers allegedly abused a flash loan and manipulated protocol accounting. Onchain analysts traced the incident early Monday as security firms examined the exploit path. Meanwhile, the protocol has not released an official statement about the security breach.
Blockchain security firm Blockaid identified the exploit and confirmed that attackers drained about $6 million from Summer Finance. Soon after, Cyvers reported that the attacker exploited a share-accounting weakness via price manipulation. The attacker then swapped the stolen funds into DAI and transferred them to a controlled wallet.

Meanwhile, CertiK explained that the attacker used a $65.4 million flash loan during the exploit. The attacker redeemed about $70.9 million after manipulating asset accounting inside Summer Finance vaults. CertiK said the exploit targeted FleetCommander and several connected vaults through accounting distortions.
The firm added that the attacker accumulated positions in the affected vault before executing the transaction. As a result, Summer Finance lost about $6 million while the flash loan settled successfully.
Crypto trader Crypto Jargon described the exploit as a classic flash loan attack against Summer Finance. The attacker borrowed funds, manipulated liquidity across Curve pools and Morpho, then captured roughly $6 million. Afterward, the attacker repaid the loan within the same blockchain transaction.
He added that flash loans only expose attackers to transaction fees if every step succeeds. Therefore, Summer Finance faced losses without the attacker risking permanent capital.
Phylax Systems founder Odysseas Lamtzidis said accounting and liquidity assumptions enabled the exploit against Summer Finance. He stated that the attacker used an unverified contract while the vulnerable protocol contracts remained verified. Furthermore, he found no evidence of compromised private keys or abused administrator privileges.
The Summer Finance incident adds to a growing number of decentralized finance security breaches this year. CryptoRank recorded 121 DeFi hacks during 2026 with almost $942 million in reported losses. Most attacks occurred during the second quarter and caused approximately $775 million in damages.
CryptoRank also reported that DeFi total value locked declined from about $115 billion in January to $70 billion by late June. The firm linked weaker confidence with repeated protocol exploits across the sector. Consequently, Summer Finance became another major protocol affected during a difficult year.
Meanwhile, CryptoRank said Drift Protocol and KelpDAO accounted for roughly $590 million of this year’s losses. TRM Labs and Chainalysis linked both attacks to North Korea-backed hacking groups. However, analysts have not connected the Summer Finance exploit to those previous incidents.
The post Summer Finance Loses $6M After Analysts Flag Vault Accounting Flaw appeared first on CoinCentral.


