logo
    TicketsSpeakers
    News
    logo

    #Flash Loan Attack

    Summer Finance Hit by $6 Million Exploit

    Summer Finance Hit by $6 Million Exploit

    Charles Obison
    July 8, 2026
    2,048 views
    Make Us Preferred on Google

     

    Summer Finance, a DeFi yield optimization protocol, was hit by an exploit that affected the protocol's USDC vaults, resulting in an estimated loss of roughly $6 million.

     

    The exploit was confirmed by several blockchain security firms, including Blockaid, Cyvers, and CertiK. According to Cyvers, the attack appears to have been caused by the exploitation of a shared accounting vulnerability. The stolen funds were eventually swapped for the DAI stablecoin and transferred to the attacker's wallet.

     

    Although all vaults across the Lazy Summer Protocol were immediately paused after the exploit was confirmed, the team later released a post-mortem report detailing how the attack occurred, its scope and impact, the response actions taken, and ongoing fund recovery efforts.

     

    Image credit: x.com

     

    According to the post-mortem report, the exploit targeted two Lazy Summer Protocol USDC vaults on the Ethereum mainnet. The attack, which is believed to have been planned over a period of about 3 months, was executed using a $65 million flash loan. Of that amount, approximately $64.8 million was deposited into Summer's vaults.

     

    The attacker then deposited Varlamore USDC (vgUSDC) Growth tokens, which were essentially worthless, into the vulnerable Silo Ark vault, which had been partially shut down. Because the vault's accounting logic incorrectly treated the fake vgUSDC tokens as legitimate assets with real value, the attacker was able to withdraw genuine funds from the protocol.

     

    In response, the Summer Finance team took several measures to contain the impact, including pausing vaults across the Ethereum, Base, Arbitrum, and Sonic networks. The team has also launched an investigation and begun tracing the stolen funds.

     

    The Summer Finance exploit occurred around the same time that the BonkDAO treasury was drained of approximately $20 million. In that incident, the attacker reportedly purchased $4.4 million worth of BONK tokens, allowing them to meet the DAO's low quorum threshold. The attacker then passed a malicious governance proposal, BIP 76, which automatically transferred approximately $20 million from the treasury. 

     

    Tags:
    #Defi#Ethereum#USDC#blockchain security#Crypto Exploit#Flash Loan Attack#Summer Finance
    Venus Protocol Hit by $3.7M Supply-Cap Attack

    Venus Protocol Hit by $3.7M Supply-Cap Attack

    Charles Obison
    March 17, 2026
    4,075 views
    Make Us Preferred on Google

     

    Decentralized crypto lending and borrowing platform Venus Protocol was recently targeted in a supply cap/flash-loan attack, resulting in an estimated $3.7 million loss.

     

    The team said Sunday that it detected unusual activity in the Thena token (THE) pool. Withdrawals and deposits were temporarily paused while the team conducted an investigation. Additional details about the incident have since been released.

     

     

     

    According to Allez Labs, the risk manager for the Venus Protocol, the attack occurred in two stages. In the first stage, the attacker gradually acquired 84% of Thena’s (THE) 14.5 million token supply, which represents the platform’s maximum supply. THE is the native cryptocurrency of the Thena decentralized finance platform.

     

    The accumulation of the Thena token began as early as March 2025 and continued over a nine-month period, Allez Labs reported.

     

    To bypass Thena’s 14.5 million token supply cap on Venus, the attacker moved to the second stage of the exploit, transferring tokens directly to the protocol’s contract and pushing the supply to 53.2 million tokens.

     

    Timeline of the Thena Token Supply Cap Breach, according to Allez Labs:

    • 11:00 UTC: 12,200,000 THE supplied (84% of the cap, within limits)
    • 12:00 UTC: 49,500,000 THE supplied (341% of the cap)

    • 12:42 UTC: 53,200,000 THE supplied (367% of the cap)

     

    After accumulating a large amount of Thena tokens (THE), the attacker used 53.2 million of them as collateral to borrow other cryptocurrencies, including 6.67 million CAKE, 1.58 million USDC, 2,801 BNB, and 20 BTC. CAKE is the native token of the PancakeSwap decentralized exchange.

     

    Although Thena initially had low on-chain liquidity, the attacker’s repeated use of it as collateral, along with additional purchases, caused its price to spike from around $0.27 to nearly $0.53, Allez Labs said. Out of caution, Venus Protocol paused withdrawals and borrowing of THE and CAKE tokens on its platform.

     

    Analyzing the scale of the attack, Wu Blockchain reported that the attacker’s wallet obtained roughly 20 BTC, 1.5 million CAKE, and 200 BNB, totaling more than $3.7 million.

     

    The Thena token (THE), which was primarily used in the flash loan attack, has seen its price decline by more than 17% over the past 24 hours. As of the time of publication, THE was trading at around $0.1949.

     

    Tags:
    #Crypto Lending#Web3 Security#DeFi Security#Venus Protocol#Flash Loan Attack#Crypto Exploits#Thena Token#THE Token#Blockchain Hacks#PancakeSwap