+0.74%
+0.90%
+5.19%
-0.75%
-2.08%
+2.82%
How the Attack Worked
The exploit used a flash loan, a feature that lets attackers borrow large sums without collateral if they repay within the same transaction. According to pseudonymous crypto trader Crypto Jargon, the attacker borrowed funds and then manipulated liquidity across Curve’s DAI and USDC pools as well as Morpho protocol.
By orchestrating this price manipulation, the attacker extracted about $6 million in profit before repaying the loan in a single transaction. The key advantage of flash loan attacks is that they’re nearly risk-free for the attacker. If anything goes wrong, the entire transaction reverts, and the attacker only loses the gas fees paid to execute it.
The Technical Vulnerability
Odysseas Lamtzidis, founder of Phylax Systems, analyzed the exploit and identified the root cause. Summer Finance’s vulnerability stemmed from flaws in the protocol’s vault accounting and liquidity assumptions, both of which operated within a single transaction block.
Importantly, the attack didn’t involve compromised private keys or abuse of administrator privileges. Instead, the attacker used an unverified contract to execute the exploit, while the vulnerable protocol components themselves were verified and audited. This suggests the flaw was in the overall logic and assumptions rather than in individual smart contract code.
A Troubling Year for DeFi
This incident is part of a broader crisis in the decentralized finance sector. According to CryptoRank, the DeFi ecosystem experienced 121 hacks in 2026, resulting in nearly $942 million in total losses. The situation worsened during the second quarter, which saw 85 separate exploits and approximately $775 million stolen.
The scale of the damage has shaken investor confidence. Total value locked in DeFi protocols dropped significantly throughout the year, falling from around $115 billion in January to $70 billion by late June.
Where the Biggest Losses Came From
While Q2 had the most exploits overall, two massive attacks in April accounted for the year’s largest financial damage. Drift Protocol and KelpDAO were collectively hit for about $590 million, representing more than half of all DeFi losses in 2026.
Summer Finance’s $6 million loss, while significant, is a reminder that attackers are constantly evolving their tactics. Flash loans have become a particularly effective vector because they require no collateral and can be executed with minimal exposure. Until protocols strengthen their accounting logic and validate assumptions across transactions, attacks like this will likely continue.
Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates



