Summer.fi exploit drains ~$6M; AI rebalancer involved
Blockaid detected an exploit on July 6 that drained about $6 million from Summer.fi’s Lazy Summer vaults; the protocol paused the vaults and is investigating.
Blockaid detected an ongoing exploit of Summer.fi on July 6 and estimated about $6 million was drained. Summer.fi paused its Lazy Summer vaults while investigators examine how the protocol’s Keeper AI rebalancer and layered contract controls were involved.
Blockaid published a follow-up linking the exploit transaction, the exploiter address, the exploit contract and the affected Summer.fi and Lazy Summer contracts. The linked Etherscan record shows a successful Ethereum transaction at 05:17:59 UTC on July 6. Summer.fi acknowledged the report, noting it was ‘aware of the reported exploit’ and that it is investigating the root cause. Protocol guardians paused all vaults across the Lazy Summer Protocol. A final loss figure and the technical cause remain pending a fuller incident review.
Lazy Summer is a set-and-forget product built around automated Lazy Vaults, also called Fleets. Summer.fi documentation describes a Fleet Commander that handles deposits, withdrawals and allocation; ARKs that implement yield strategies; and RAFT components that harvest and compound rewards. The protocol’s rebalancer, described as Keeper AI Agents, can move assets among ARKs within limits set by the Fleet Commander and governance, including caps on how much value can move and how often.
Depositors rely on share accounting, strategy contracts, keeper execution, governance limits and emergency pause controls while capital moves without manual approval from each user. The exploit affected the boundary between those automated systems and user-facing accounting.
Summer.fi’s public materials point to audits and an Immunefi bug bounty as parts of its security program. Known DeFi hack losses reached about $780.3 million in the second quarter.
Summer.fi plans a postmortem. The review will determine whether the fault is contained to a single contract or a keeper execution path, or whether the issue traces back to vault accounting, permissioning or how strategies are moved between ARKs. The protocol will publish findings and a final loss figure after the review.








