Summer.fi 被闪电贷精准爆头,610 万美元凭空蒸发。
The attacker’s path was actually “clean”: borrow 65.4 million USDC + 1 million USDT, deposit 64.8 million USDC into Fleet Commander to obtain shares, then directly transfer the SiloVault shares to the strategy contract Ark, inflating Ark’s book balance from $0 to $7.14 million.
The problem lies in Fleet Commander’s calculation of totalAssets, where it directly trusts the original balance reported by Ark with no internal validation. As a result, the attacker redeemed 710 million USDC in sequence, netting roughly $6.1 million—done in a single transaction.
This is a classic cross-contract ERC-4626 donation attack. ERC-4626 share pricing is already dependent on the underlying asset definition. Once the vault “blindly trusts” the balance reported by an external strategy contract, an attacker can artificially inflate the value of each share as long as they can directly transfer funds to / transfer shares to the strategy contract, then exit via arbitrage.
Some reusable risk points:
- The vault should not unconditionally trust balances reported by the strategy; it needs internal accounting plus variance checks;
- The strategy contract must filter out “unexpectedly received” assets and shares and must not include them in NAV;
- Any protocol involving nested ERC-4626 structures is worth re-auditing the donation-attack surface.
In DeFi, fewer vulnerabilities are caused by math and more by boundary design—“who trusts whom.”
#DeFi #Summer_fi #ERC4626