June 12, 2025 — In a single atomic transaction, an attacker turned $65.4 million of borrowed liquidity into $6 million of pure DAI profit. The target? Summer.fi, a DeFi vault aggregator built on top of Morpho. The weapon? Not a reentrancy bug or a price oracle manipulation, but something far more subtle: a broken vault share accounting formula.
This wasn’t a code execution error. It was a logic flaw — one that allowed the attacker to rewrite the ledger of ownership in a single block. The market will call it another hack. I call it a predictable consequence of treating vault shares as a mere proxy for value without auditing the state dependencies underneath.
Context: The Vault Aggregator’s Dilemma
Summer.fi is not a base-layer lending protocol. It’s an aggregation layer — a smart contract that accepts user deposits, allocates them to underlying protocols like Morpho, and tracks each user’s stake via vault shares. These shares are supposed to represent a proportional claim on the vault’s total assets. In theory, the math is straightforward: share price = total assets / total shares outstanding.
In practice, that formula is only as secure as the inputs. If the calculation of “total assets” depends on a mutable state — such as an interaction with a flash loan — then the entire ownership structure becomes malleable.
Core: The Atomic Accounting Heist
The attacker deployed a custom contract that executed the following sequence in one transaction: 1. Borrow 65,400,000 DAI via a flash loan from Morpho. 2. Use that borrowed DAI to interact with Summer.fi’s vault — likely depositing a small amount to mint shares, then manipulating the vault’s internal accounting by triggering a state change that inflated or deflated the share price. 3. Withdraw a disproportionate amount of assets (roughly $6 million) based on the manipulated share price. 4. Repay the flash loan, pocketing the difference ($6M in DAI).
The key insight: the vault share calculation was dependent on an external condition that the attacker could temporarily distort. This is a classic “input validation” failure — the contract trusted that the state used to compute share value was stable within the transaction. It was not.
Blockaid and CertiK flagged the exploit early, but by then the attacker had already extracted the funds. The stolen assets are mostly DAI — a stablecoin that is liquid and easy to move. The attacker’s address remains active, and if history is any guide, the funds will soon be mixed or bridged.
Contrarian: The Real Vulnerability Is Not in the Code — It’s in the Incentives
Most reports will frame this as a technical bug. It’s not. It’s a failure of economic design. Summer.fi’s vault shares were implemented as a computational shortcut — a way to track user ownership without recalculating everything every block. But shortcuts in DeFi are backdoors waiting to be exploited.
The contrarian truth: Summer.fi’s team likely knew their share pricing logic was fragile. They shipped it anyway because the market was demanding speed. The same incentive that drives DeFi innovation — “move fast, break things” — is the same incentive that produces these attacks. The attacker simply found the edge case that the team chose not to test thoroughly.
Retail users will blame the hacker. The community will call for better audits. But the real issue is misaligned incentives between protocol developers (who benefit from TVL growth) and users (who assume the math is sound). Until vault share formulas are treated with the same rigor as liquidation engines, this will happen again.
Takeaway: Watch the State, Not the Tokens
The Summer.fi incident is a canary in the coal mine for any DeFi protocol that computes share values against mutable inputs. The immediate action: if you have funds in vaults that depend on external protocol states (like Morpho, Compound, or Aave), demand transparency on how share prices are calculated. Auditors should flag any formula that reads a variable that can be altered within the same transaction.
As for Summer.fi — their response will define their future. A full compensation plan and a public post-mortem might restore trust. If they try to brush this off as a one-off, they’ll bleed TVL to competitors.
We farmed the yields until the protocol farmed us. — Root: Auditing the DAO and Ethereum
The lesson is older than DeFi itself: code is law, but only if the law is correctly written. — Root: Auditing the DAO and Ethereum
In a sideways market, chop is for positioning. The best position right now is outside any vault that uses arithmetic without bounds checking. — Root: Auditing the DAO and Ethereum