A $6M Summer.fi Exploit Drained a DeFi Vault. We Traced the Money On-Chain, and It Has Not Moved
— By Tony Rabbit in News

A DeFi vault on Summer.fi was drained of about $6M on July 6. We read the chain: the exact 6,016,755 DAI is still parked in the attacker's wallet, unmoved and unlaundered. Here is the on-chain trail.
Another DeFi vault has been drained. On the morning of July 6, 2026, the yield protocol Summer.fi, known for its Lazy Summer automated vaults, lost roughly 6 million dollars to an exploit that security firm Blockaid flagged at around 07:27 UTC. The early reports carried the headline number but not the money trail. So we did what we do: we read the chain directly. The drained funds are not a rounded estimate and they are not gone into a mixer. They are sitting, to the dollar, in a single wallet, and as of this writing they have not moved.
What the chain confirms
Pulling the attacker wallet on Ethereum, the loot is exact: 6,016,755 DAI, worth about 6.0 million dollars, plus roughly 98,645 LVUSDC vault-share tokens and about 0.26 ETH for gas. The wallet, ending in BDCa, is brand new. It has made just four transactions, all on July 6. Its first transaction landed at 04:12 UTC, and about an hour later, at 05:17 UTC, two calls to a purpose-built exploit contract (ending FC61) drained the LazyVault_LowerRisk_USDC vault in under a minute. The exploit contract was deployed by a separate address, not the wallet now holding the funds, a common attacker pattern that separates the tool from the treasury.
How the drain unfolded, on-chain

None of this required guesswork. The amounts, timestamps, contract and destination are all readable on any block explorer, which is exactly why on-chain drains are so much easier to quantify than off-chain breaches. The number the chain shows, 6,016,755 DAI, is the number.
The $6 million has not moved
Here is the part that matters most right now, and the part no wire has published: hours after the drain, the attacker has not touched the funds. The DAI has not been swapped, bridged to another chain, or sent to a mixer like Tornado Cash. It is simply parked. That single fact shapes everything that happens next. A wallet that sits still is often a wallet whose owner is watching to see whether the protocol opens a whitehat negotiation, offering to let them keep a bounty in exchange for returning the rest. The moment the funds start hopping between addresses or hit a mixer, that window is usually closing. For anyone following this, the only metric that counts from here is on-chain movement of that DAI.
What is not yet known
We are deliberately not filling in the blanks the chain does not show. No full post-mortem has been published, so the precise root cause, whether a pricing or accounting flaw in the vault let the attacker withdraw more than they deposited, is not yet confirmed and we will not guess at it. The vault in question was one of the protocol's lower-risk USDC strategies, which is its own uncomfortable headline. Summer.fi's SUMR governance token, which lives on Base, is a small market (a fully diluted value under 2 million dollars on only a few thousand dollars of daily volume), so the token reaction is a footnote next to the 6 million dollars of user funds at stake.
- about 6,016,755 DAI, near $6.0M, drained and now held in one wallet
- the wallet also holds roughly 98,645 LVUSDC vault shares and 0.26 ETH
- just four transactions, all on July 6, using a purpose-built exploit contract
- the exact root cause; no full post-mortem has been published
- whether the funds are recoverable or whitehat negotiation is underway
- where the DAI goes next, which is the single thing worth watching now
The lesson for DeFi users
Automated yield vaults concentrate a lot of deposits behind a single smart-contract surface, which is precisely what makes them efficient and what makes a single flaw so expensive. This is the second straight cycle where the dominant DeFi loss vector is contract and access-control exploits rather than volatility. The takeaways are the ones we repeat because they keep being right: understand that a "lower-risk" label describes market risk, not smart-contract risk; screen any protocol token and contract with the Token Safety Checker before you deposit; learn how these drains actually work in our guide to DeFi exploits; and if you are ever caught in one, our wallet-drained response guide walks through the first moves. We will update this piece as the funds move or a post-mortem lands.
Methodology and disclaimer: the drained amount (6,016,755 DAI), the attacker wallet's holdings and its four transactions, the exploit contract and the 05:17 UTC timing were read on-chain from Ethereum via public block explorers on July 6, 2026, and reflect the state at the time of writing; funds may move at any point. The exploit detection and timing are as reported by Blockaid; SUMR market data is from GeckoTerminal. The root cause is not yet confirmed and no individual is identified; the attacker is referenced by wallet address only. This article is for information only and is not financial advice.