Summer.fi 又栽了——A lightning-loan deal for $6.1 million gets siphoned off in a single transaction. The problem isn’t the oracle, or the private key, but a line of code saying “I trust you.”
The attacker’s path is actually disturbingly simple:
· Borrow 65.4 million USDC + 1 million USDT via a flash loan
· Normally deposit 64.8 million USDC into Fleet Commander to receive shares
· The key step—**transfer** the SiloVault shares directly to the strategy contract Ark, bypassing the deposit entry point
· Ark’s on-book balance instantly inflates from 0 to $7.14 million
· When Fleet Commander computes totalAssets, it directly trusts Ark’s self-reported original balance; the attacker redeems and walks away with 71 million USDC
Net profit: $6.1 million—done in a single transaction.
This is a typical cross-contract ERC-4626 donation attack. Native ERC-4626 share-inflation vulnerabilities have been mitigated for two years, but when the treasury is split into a “Vault + multiple strategy contracts” composable architecture, the risk shifts from within a single contract to the **trust boundaries between contracts**. Fleet Commander treats the balance reported by Ark as ground truth and performs no internal validation—effectively handing the treasury key to an address that anyone can “donate” to inflate.
A few points worth revisiting for the entire DeFi yield aggregation race:
1. Balance reporting from strategy contracts must go through a whitelisted entry point, rejecting unowned transfers
2. totalAssets calculation should include a differential check between internal accounting and external balances
3. The more complex a modular treasury is, the more it needs to treat “cross-contract calls” as an external input for auditing
Passing an audit report doesn’t mean you’re safe—under composable architectures, the attack surface is being repeatedly unearthed.
#DeFi安全 #ERC4626 #Summerfi