Summer Finance suffered a flashloan attack, losing $6 million, highlighting DeFi security vulnerabilities.
🚨ALERT: Summer Finance just got drained for $6 million, and the mechanism is the classic flashloan playbook that keeps working on DeFi vaults.
CertiK traced it: the attacker borrowed $65.4 million via flashloan, used it to manipulate liquidity across Curve's DAI/USDC pools and Morpho, then walked away with $6 million profit before repaying the loan in the same transaction. Same block. No capital of their own at risk.
This is what makes flashloan attacks so hard to defend against. The attacker doesn't need to own the money they're manipulating with; they borrow $65M for a few seconds, temporarily distort a price or liquidity ratio, extract the difference, and return the loan before the transaction even finalizes. If any single step reverts, the whole thing undoes itself, so they only ever risk gas fees.
Summer Finance builds institutional-grade vault infrastructure. "Institutional-grade" increasingly means nothing if the underlying liquidity math can still be bent by whoever has the biggest flashloan.