Summer.fi: Lazy Summer attack not a contract vulnerability, NAV mechanism exploited
CoinFeed July 8 news, Summer.fi released an analysis report on the Lazy Summer Protocol USDC vault attack. On July 6, the attacker manipulated the share prices of two USDC vaults in a single atomic transaction, extracting approximately $6.04 million in depositor funds. The core of the attack lies in the calculation method of the vault's net asset value (NAV). The attacker donated tokens that still retained their old valuation to a Silo Ark that had been suspended after an incident in November 2025 but not fully removed, causing the total assets of the vault to be inflated by about 9.5%, raising the share price, and then redeemed at the inflated price and withdrew from the vault's real liquidity. The report emphasized that the attack was not a contract code vulnerability, but a missing step in the vault decommission process — the Ark's deposit cap had been set to zero, but it was still included in the NAV of the active asset set.