
Summer Finance, a DeFi yield optimization protocol, was hit by an exploit that affected the protocol's USDC vaults, resulting in an estimated loss of roughly $6 million.
The exploit was confirmed by several blockchain security firms, including Blockaid, Cyvers, and CertiK. According to Cyvers, the attack appears to have been caused by the exploitation of a shared accounting vulnerability. The stolen funds were eventually swapped for the DAI stablecoin and transferred to the attacker's wallet.
Although all vaults across the Lazy Summer Protocol were immediately paused after the exploit was confirmed, the team later released a post-mortem report detailing how the attack occurred, its scope and impact, the response actions taken, and ongoing fund recovery efforts.
Image credit: x.com
According to the post-mortem report, the exploit targeted two Lazy Summer Protocol USDC vaults on the Ethereum mainnet. The attack, which is believed to have been planned over a period of about 3 months, was executed using a $65 million flash loan. Of that amount, approximately $64.8 million was deposited into Summer's vaults.
The attacker then deposited Varlamore USDC (vgUSDC) Growth tokens, which were essentially worthless, into the vulnerable Silo Ark vault, which had been partially shut down. Because the vault's accounting logic incorrectly treated the fake vgUSDC tokens as legitimate assets with real value, the attacker was able to withdraw genuine funds from the protocol.
In response, the Summer Finance team took several measures to contain the impact, including pausing vaults across the Ethereum, Base, Arbitrum, and Sonic networks. The team has also launched an investigation and begun tracing the stolen funds.
The Summer Finance exploit occurred around the same time that the BonkDAO treasury was drained of approximately $20 million. In that incident, the attacker reportedly purchased $4.4 million worth of BONK tokens, allowing them to meet the DAO's low quorum threshold. The attacker then passed a malicious governance proposal, BIP 76, which automatically transferred approximately $20 million from the treasury.

Flow Foundation is seeking a court order in Seoul to halt the planned delisting of the FLOW token on three South Korean exchanges following an exploit on the protocol in December.
The Flow Foundation and its parent company, Dapper Labs, filed a motion with the Seoul Central District Court on Monday to block the delisting of the FLOW token from three South Korean exchanges.
This move is coming months after the Layer 1 blockchain protocol suffered a security incident in December, which led to several exchanges temporarily stopping the trading of the FLOW token at the time. However, three major Korean exchanges; Upbit, Bithumb, and Coinone, have moved to permanently stop the trading of the token on their exchanges on March 16.
On December 27, 2025, Flow suffered a protocol-level exploit that resulted in losses of about $3.9 million. The breach was caused by a flaw in the smart-contract runtime within Flow’s execution layer, which allowed the attacker to exploit vulnerabilities in Cadence.
Cadence is Flow’s smart contract runtime. By exploiting the flaw in Cadence, the attacker was able to duplicate Flow tokens instead of properly minting them.
After duplicating the tokens, the attacker attempted to bridge them out of the protocol using cross-chain bridges such as Celer, deBridge, Relay, and Stargate. However, this abnormal activity was detected by Flow’s validator network, which placed the blockchain in read-only mode, halting further asset transfers.
This incident led to a sharp decline in the price of the FLOW token. Prior to the breach, FLOW was trading at around $0.17, but it fell over 40% to roughly $0.097 within hours of the exploit being announced.
Image credit: Tradingview
The incident also affected the token’s market cap. Before the breach, FLOW had a market cap of around $280–284 million. After the breach, it fell to approximately $164–170 million. Although the breach directly resulted in a $3.9 million loss, the protocol’s total market value dropped by over $110 million.
Image credit: Coingecko
Following remediation efforts after the incident, the Flow Foundation claimed that every major global exchange has independently reviewed and restored FLOW token trading on their platforms.
According to the foundation, the FLOW token remains fully available and tradeable on major exchanges, including Binance, Coinbase, Kraken, OKX, Gate.io, HTX, and Bybit, with Korbit being the only Korean exchange still supporting the trading of FLOW.