Binance Square
#summerfi

summerfi

9,074 views
10 Discussing
Maurice Vanloo X8zN
·
--
Yet another DeFi protocol has been breached by a "trust vulnerability". In a single transaction, Summer.fi was drained of approximately $6.1 million. The method is textbook: The attacker used a flash loan of 654 million USDC plus 1 million USDT, first depositing 648 million USDC into Fleet Commander normally to obtain shares. The key step was to transfer the SiloVault shares directly into the strategy contract Ark that is managed by Silo Finance, bypassing the deposit entry point—brute-forcing Ark’s on-paper balance from 0 to $7.14 million. Then, when Fleet Commander calculates totalAssets, it bizarrely just trusts the original balance reported by Ark, without any internal reconciliation. After the inflation, the share value is overstated. The attacker then smoothly redeems for 71 million USDC and leaves, netting $6.1 million—all in a single transaction. Onchain Lens categorizes this as a "cross-contract ERC-4626 donation attack." The issue isn’t the flash loan, nor the ERC-4626 standard itself, but that the vault takes the self-reported balance of an external strategy contract as truth. The industry lesson is very specific: · The vault must maintain independent accounting or enforce upper-bound checks for strategy assets—so strategy contracts can’t call the shots · Any path where "a direct transfer alone can change accounting state" is an attack surface · For yield protocols with nested multiple contracts, audits must cover cross-contract invariants, not just single-contract logic However sweet DeFi’s compounding narrative may be, underneath it’s still "code is trust." This time the loss is $6.1 million—next time it could be nine figures. #DeFi #SummerFi #智能合约安全
Yet another DeFi protocol has been breached by a "trust vulnerability".

In a single transaction, Summer.fi was drained of approximately $6.1 million. The method is textbook:

The attacker used a flash loan of 654 million USDC plus 1 million USDT, first depositing 648 million USDC into Fleet Commander normally to obtain shares. The key step was to transfer the SiloVault shares directly into the strategy contract Ark that is managed by Silo Finance, bypassing the deposit entry point—brute-forcing Ark’s on-paper balance from 0 to $7.14 million.

Then, when Fleet Commander calculates totalAssets, it bizarrely just trusts the original balance reported by Ark, without any internal reconciliation. After the inflation, the share value is overstated. The attacker then smoothly redeems for 71 million USDC and leaves, netting $6.1 million—all in a single transaction.

Onchain Lens categorizes this as a "cross-contract ERC-4626 donation attack." The issue isn’t the flash loan, nor the ERC-4626 standard itself, but that the vault takes the self-reported balance of an external strategy contract as truth.

The industry lesson is very specific:
· The vault must maintain independent accounting or enforce upper-bound checks for strategy assets—so strategy contracts can’t call the shots
· Any path where "a direct transfer alone can change accounting state" is an attack surface
· For yield protocols with nested multiple contracts, audits must cover cross-contract invariants, not just single-contract logic

However sweet DeFi’s compounding narrative may be, underneath it’s still "code is trust." This time the loss is $6.1 million—next time it could be nine figures.

#DeFi #SummerFi #智能合约安全
Summer.fi is back to the old ERC-4626 problem—only this time they changed the approach to do it across contracts. The attacker flash-loaned 65.4 million USDC + 1 million USDT, first deposited 64.8 million into Fleet Commander to receive shares, then directly stuffed the SiloVault shares into the Ark strategy contract managed by Silo Finance—skipping the normal deposit flow and forcing Ark’s balance from 0 up to $7.14 million. The key vulnerability: when Fleet Commander calculates totalAssets, it simply trusts the raw balance reported by Ark with no internal validation. As a result, after the attacker redeemed 71 million USDC, they walked away with a net profit of roughly $6.1 million from a single transaction. An old lesson, but still worth repeating: — A vault must not “unconditionally trust” a strategy contract’s balance — Variants of ERC-4626 donation/inflation attacks will keep showing up — Cross-contract accounting must use internal bookkeeping, not read external balanceOf The more layered a DeFi protocol is, the easier it is for someone to break through the trust boundaries through the gaps. Audited code doesn’t guarantee a secure architecture. #DeFi安全 #ERC4626 #SummerFi
Summer.fi is back to the old ERC-4626 problem—only this time they changed the approach to do it across contracts.

The attacker flash-loaned 65.4 million USDC + 1 million USDT, first deposited 64.8 million into Fleet Commander to receive shares, then directly stuffed the SiloVault shares into the Ark strategy contract managed by Silo Finance—skipping the normal deposit flow and forcing Ark’s balance from 0 up to $7.14 million.

The key vulnerability: when Fleet Commander calculates totalAssets, it simply trusts the raw balance reported by Ark with no internal validation. As a result, after the attacker redeemed 71 million USDC, they walked away with a net profit of roughly $6.1 million from a single transaction.

An old lesson, but still worth repeating:
— A vault must not “unconditionally trust” a strategy contract’s balance
— Variants of ERC-4626 donation/inflation attacks will keep showing up
— Cross-contract accounting must use internal bookkeeping, not read external balanceOf

The more layered a DeFi protocol is, the easier it is for someone to break through the trust boundaries through the gaps. Audited code doesn’t guarantee a secure architecture.

#DeFi安全 #ERC4626 #SummerFi
Summer.fi 又栽了——A lightning-loan deal for $6.1 million gets siphoned off in a single transaction. The problem isn’t the oracle, or the private key, but a line of code saying “I trust you.” The attacker’s path is actually disturbingly simple: · Borrow 65.4 million USDC + 1 million USDT via a flash loan · Normally deposit 64.8 million USDC into Fleet Commander to receive shares · The key step—**transfer** the SiloVault shares directly to the strategy contract Ark, bypassing the deposit entry point · Ark’s on-book balance instantly inflates from 0 to $7.14 million · When Fleet Commander computes totalAssets, it directly trusts Ark’s self-reported original balance; the attacker redeems and walks away with 71 million USDC Net profit: $6.1 million—done in a single transaction. This is a typical cross-contract ERC-4626 donation attack. Native ERC-4626 share-inflation vulnerabilities have been mitigated for two years, but when the treasury is split into a “Vault + multiple strategy contracts” composable architecture, the risk shifts from within a single contract to the **trust boundaries between contracts**. Fleet Commander treats the balance reported by Ark as ground truth and performs no internal validation—effectively handing the treasury key to an address that anyone can “donate” to inflate. A few points worth revisiting for the entire DeFi yield aggregation race: 1. Balance reporting from strategy contracts must go through a whitelisted entry point, rejecting unowned transfers 2. totalAssets calculation should include a differential check between internal accounting and external balances 3. The more complex a modular treasury is, the more it needs to treat “cross-contract calls” as an external input for auditing Passing an audit report doesn’t mean you’re safe—under composable architectures, the attack surface is being repeatedly unearthed. #DeFi安全 #ERC4626 #Summerfi
Summer.fi 又栽了——A lightning-loan deal for $6.1 million gets siphoned off in a single transaction. The problem isn’t the oracle, or the private key, but a line of code saying “I trust you.”

The attacker’s path is actually disturbingly simple:
· Borrow 65.4 million USDC + 1 million USDT via a flash loan
· Normally deposit 64.8 million USDC into Fleet Commander to receive shares
· The key step—**transfer** the SiloVault shares directly to the strategy contract Ark, bypassing the deposit entry point
· Ark’s on-book balance instantly inflates from 0 to $7.14 million
· When Fleet Commander computes totalAssets, it directly trusts Ark’s self-reported original balance; the attacker redeems and walks away with 71 million USDC

Net profit: $6.1 million—done in a single transaction.

This is a typical cross-contract ERC-4626 donation attack. Native ERC-4626 share-inflation vulnerabilities have been mitigated for two years, but when the treasury is split into a “Vault + multiple strategy contracts” composable architecture, the risk shifts from within a single contract to the **trust boundaries between contracts**. Fleet Commander treats the balance reported by Ark as ground truth and performs no internal validation—effectively handing the treasury key to an address that anyone can “donate” to inflate.

A few points worth revisiting for the entire DeFi yield aggregation race:
1. Balance reporting from strategy contracts must go through a whitelisted entry point, rejecting unowned transfers
2. totalAssets calculation should include a differential check between internal accounting and external balances
3. The more complex a modular treasury is, the more it needs to treat “cross-contract calls” as an external input for auditing

Passing an audit report doesn’t mean you’re safe—under composable architectures, the attack surface is being repeatedly unearthed.

#DeFi安全 #ERC4626 #Summerfi
Summer.fi Halts Operations of Vault After $6 Million Attack * The decentralized finance (DeFi) protocol Summer.fi has had to shut down its "Lazy Summer" vaults. * The decision was made after the protocol was attacked, causing an estimated $6 million in losses. * The incident caused Summer.fi’s native SUMR token to drop by more than 18% in value. * The community is closely monitoring Summer.fi’s remediation and security measures. #DeFi #Exploit #Summerfi #CryptoNews #SUMR $sumr vlikevn Titanbot Source: CoinDesk
Summer.fi Halts Operations of Vault After $6 Million Attack

* The decentralized finance (DeFi) protocol Summer.fi has had to shut down its "Lazy Summer" vaults.
* The decision was made after the protocol was attacked, causing an estimated $6 million in losses.
* The incident caused Summer.fi’s native SUMR token to drop by more than 18% in value.
* The community is closely monitoring Summer.fi’s remediation and security measures.
#DeFi #Exploit #Summerfi #CryptoNews #SUMR

$sumr

vlikevn Titanbot

Source: CoinDesk
Log in to explore more content
Join global crypto users on Binance Square
⚡️ Get latest and useful information about crypto.
💬 Trusted by the world’s largest crypto exchange.
👍 Discover real insights from verified creators.
Email / Phone number