Advertisement
AD

2,000,000% APY Trap: $6 Million Drained in Ethereum DeFi Exploit

Mon, 6/07/2026 - 8:21
Ethereum multi-chain protocol Summer.fi was by a flash loan attack on Monday morning, draining $6 million from its low-risk vault amid a 2,000,000% APY spike.
Advertisement
2,000,000% APY Trap: $6 Million Drained in Ethereum DeFi Exploit
Cover image via depositphotos.com

Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.

Google

On Monday morning, major multichain protocol Summer.fi, formerly Oasis.app, was hit by a sophisticated hacker attack. The attacker managed to drain the project's automated vaults and withdraw about $6 million in DAI stablecoins. The incident was quickly detected by leading security firms Blockaid, PeckShield and CertiK.

Advertisement

The 2,000,000% trap

This hack stood out because of its abnormal mechanics. The hacker used a massive flash loan worth $65.4 million to artificially distort liquidity inside the "LazyVault_LowerRisk_USDC" pool. This vault had been positioned by developers as a lower-risk instrument, while its security was overseen by Block Analitica.

At the moment of the manipulation, the pool's algorithms suffered a critical failure, causing the displayed yield, or APY, of the conservative vault to briefly jump to an absurd 2,080,000%. It was through this window of distorted pricing that the hacker was able to instantly withdraw user funds.

HOT Stories
XRP Keeps Dominating ETF Inflows XRP, Shiba Inu (SHIB), Bitcoin and Dogecoin (DOGE) Price Analysis for July 6: First Breakout Attempt Shut Down

For Summer.fi, this incident continued a series of problems inside its multichain infrastructure, which spans Ethereum, Base and Arbitrum. Over the past year alone, the protocol had already faced frozen withdrawals because of the USDX stablecoin depeg, narrowly avoided an attack through the rsETH project, and blocked a malicious governance proposal at the last moment after it exploited old access permissions.

Advertisement

You Might Also Like

The new hack occurred against the backdrop of a difficult year for the entire Web3 industry. According to analysts, by the start of Q3 2026, total DeFi-sector losses from cyberattacks had already exceeded $840 million, with the main blow coming in a record April that accounted for more than $640 million.

Advertisement

The exploit mainly affected large players. According to on-chain intelligence, the biggest loss was suffered by a wallet linked to Torben Jorgensen, co-founder of Web3 company UDHC, who had deposited about 8.6 million USDC into the affected pool shortly before the attack. All stolen DAI was quickly converted through Uniswap V3 pools.

At the time of writing, the Summer.fi team has temporarily paused all compromised contracts, but no official statements about compensation have been released yet.

Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to daily newsletter

Recommended articles

Our social media
There's a lot to see there, too