The DeFi Report - Sponsor Image The DeFi Report - Industry-leading crypto research trusted by finance pros. Friend & Sponsor Learn more

Lazy Summer Protocol Drained of $6M in Vault Price Exploit

Lazy Summer Protocol lost $6M to a NAV manipulation exploit three months in the making.
Lazy Summer Protocol Drained of $6M in Vault Price Exploit
Listen
1
0
0:00 0:00

Subscribe to Bankless or sign in

An attacker siphoned just over $6M from two Lazy Summer Protocol USDC vaults on Ethereum Ethereum yesterday, per the team's post-mortem. The vector entailed inflating the vaults' share prices in flash loan transactions, after which the exploiter cashed out against other depositors' capital.

What's the Scoop?

  • The exploit: The attacker donated Silo "Varlamore" tokens, still carrying stale, never-marked-down valuations from November 2025's Stream Finance collapse, into a strategy module that had been capped for removal but still counted toward vault NAV. That pumped the share price ~9.5%, letting them redeem ~$71M against a ~$64.8M deposit.
  • Months of prep: Involved allets began accumulating the mispriced tokens roughly three months ago, all funded via the same path, so it's clear this compromise was meticulously planned rather than opportunistic.
  • The response: Every vault protocol-wide was paused and capped to zero, marking the first live-exploit use of the Lazy Summer DAO's Guardian multisig. The attacker has since routed funds through Tornado Cash, so the possibility of compensation for victims now rests in the hands of Lazy Summer DAO governance.
  • Zooming out: Notably, Lazy Summer's smart contracts worked exactly as intended. Instead, the hole was operational, i.e. a half-offboarded market left priced into NAV. The incident is a stark reminder to DeFi projects that decommissioning hygiene is security, too.


Bankless

Written by Bankless

787 Articles View all      

It’s time to break up with your bank, and join the movement for a better world.

No Responses
Bankless durchsuchen