ads
bc-game

Attack on Summer Finance drains US$ 6 million after DeFi protocol failure

2 min read
PortalCripto
Attack on Summer Finance drains US$ 6 million after DeFi protocol failure
Source: Sora Shimazaki/Pexels — Attack on Summer Finance drains US$ 6 million after DeFi protocol failure
Advertisement

The protocol Summer Finance (Summer.fi) suffered an attack that resulted in the loss of approximately US$ 6 million, once again shining a spotlight on the security challenges faced by the DeFi sector. The exploit was identified by companies specialized in on-chain analysis, which pointed to signs of a vulnerability related to the accounting of assets in the protocol’s vaults.

The initial alert was shared by blockchain security specialists during the morning of Monday. Shortly after, other companies began analyzing fund movements and reconstructed the sequence of the attack, indicating that the attacker was able to exploit a flaw related to the calculation of users’ shares.

According to the analyses, the diverted resources were quickly converted into DAI before being sent to an address under the attacker’s control. The movement drew attention for using a method often employed in attacks against decentralized finance protocols: the temporary manipulation of prices and internal balances to obtain improper gains.

The security firm CertiK said the attacker used a flash loan of approximately US$ 65,4 million to carry out the operation. With this strategy, the attacker was able to carry out a withdrawal of about US$ 70,9 million, taking advantage of a flaw in the way the protocol Lazy Summer recorded the assets existing in its vaults.

The Summer.fi system uses artificial intelligence to automatically distribute users’ deposits across different lending platforms, seeking higher returns. This process depends on the correct accounting of assets in smart contracts, a factor, according to analysts, that would have been exploited during the incident.

CertiK detailed the mechanics of the attack in the following publication:

"The attacker managed to retrieve US$ 70,9 million after a US$ 64,8 million deposit, thanks to manipulation of the totalAssets() accounting of FleetCommander across multiple vaults, particularly in the Silo: Varlamore USDC Growth, which the attacker had previously accumulated and donated to Ark in the meantime."

According to the analysis, the FleetCommander is the smart contract responsible for managing the vaults, while the Ark integrates those vaults with the lending protocols used by the platform.

So far, the Summer.fi team has not yet disclosed a detailed explanation about the origin of the vulnerability that was exploited. While the investigation continues, security companies keep monitoring the movement of funds and assessing whether new protection measures will be implemented to prevent similar attacks in the DeFi protocol.

Tags