On Monday morning, major multichain protocol Summer.fi, formerly Oasis.app, was hit by a sophisticated hacker attack. The attacker managed to drain the project’s automated vaults and withdraw about $6 million in DAI stablecoins. The incident was quickly detected by leading security firms Blockaid, PeckShield and CertiK.
The 2,000,000% trap
This hack stood out because of its abnormal mechanics. The hacker used a massive flash loan worth $65.4 million to artificially distort liquidity inside the “LazyVault_LowerRisk_USDC” pool. This vault had been positioned by developers as a lower-risk instrument, while its security was overseen by Block Analitica.
At the moment of the manipulation, the pool’s algorithms suffered a critical failure, causing the displayed yield, or APY, of the conservative vault to briefly jump to an absurd 2,080,000%. It was through this window of distorted pricing that the hacker was able to instantly withdraw user funds.
For Summer.fi, this incident continued a series of problems inside its multichain infrastructure, which spans Ethereum, Base and Arbitrum. Over the past year alone, the protocol had already faced frozen withdrawals because of the USDX stablecoin depeg, narrowly avoided an attack through the rsETH project, and blocked a malicious governance proposal at the last moment after it exploited old access permissions.
The new hack occurred against the backdrop of a difficult year for the entire Web3 industry. According to analysts, by the start of Q3 2026, total DeFi-sector losses from cyberattacks had already exceeded $840 million, with the main blow coming in a record April that accounted for more than $640 million.
The exploit mainly affected large players. According to on-chain intelligence, the biggest loss was suffered by a wallet linked to Torben Jorgensen, co-founder of Web3 company UDHC, who had deposited about 8.6 million USDC into the affected pool shortly before the attack. All stolen DAI was quickly converted through Uniswap V3 pools.
At the time of writing, the Summer.fi team has temporarily paused all compromised contracts, but no official statements about compensation have been released yet.






Be the first to comment