A $6M Summer.fi Exploit Drained a DeFi Vault. We Traced the Money On-Chain, and It Has Not Moved

— By Tony Rabbit in News

A $6M Summer.fi Exploit Drained a DeFi Vault. We Traced the Money On-Chain, and It Has Not Moved

A DeFi vault on Summer.fi was drained of about $6M on July 6. We read the chain: the exact 6,016,755 DAI is still parked in the attacker's wallet, unmoved and unlaundered. Here is the on-chain trail.

Another DeFi vault has been drained. On the morning of July 6, 2026, the yield protocol Summer.fi, known for its Lazy Summer automated vaults, lost roughly 6 million dollars to an exploit that security firm Blockaid flagged at around 07:27 UTC. The early reports carried the headline number but not the money trail. So we did what we do: we read the chain directly. The drained funds are not a rounded estimate and they are not gone into a mixer. They are sitting, to the dollar, in a single wallet, and as of this writing they have not moved.

~$6.0M
drained from a Summer.fi Lazy Vault
6,016,755
DAI still sitting in the attacker's wallet
05:17 UTC
when the vault was drained, July 6
0
of it laundered or moved so far

What the chain confirms

Pulling the attacker wallet on Ethereum, the loot is exact: 6,016,755 DAI, worth about 6.0 million dollars, plus roughly 98,645 LVUSDC vault-share tokens and about 0.26 ETH for gas. The wallet, ending in BDCa, is brand new. It has made just four transactions, all on July 6. Its first transaction landed at 04:12 UTC, and about an hour later, at 05:17 UTC, two calls to a purpose-built exploit contract (ending FC61) drained the LazyVault_LowerRisk_USDC vault in under a minute. The exploit contract was deployed by a separate address, not the wallet now holding the funds, a common attacker pattern that separates the tool from the treasury.

How the drain unfolded, on-chain

1
Fresh wallet funded
An attacker wallet (0x7BF7...BDCa) makes its first transaction at 04:12 UTC on July 6, with no prior history.
2
Exploit contract deployed
A custom contract (0x0514...FC61) is deployed to carry out the attack.
3
Vault drained at 05:17 UTC
Two calls to that contract drain the LazyVault_LowerRisk_USDC vault in under a minute.
4
6.0M DAI lands, and stays
About 6,016,755 DAI arrives in the attacker wallet, where it still sits untouched.
On-chain money trail of the Summer.fi exploit July 6 2026: the LazyVault_LowerRisk_USDC vault was drained via exploit contract 0x0514 into attacker wallet 0x7BF7, which still holds 6,016,755 DAI, about 6 million dollars, status unmoved
The money trail, read on-chain: vault to exploit contract to attacker wallet, where the 6,016,755 DAI still sits.

None of this required guesswork. The amounts, timestamps, contract and destination are all readable on any block explorer, which is exactly why on-chain drains are so much easier to quantify than off-chain breaches. The number the chain shows, 6,016,755 DAI, is the number.

The $6 million has not moved

Here is the part that matters most right now, and the part no wire has published: hours after the drain, the attacker has not touched the funds. The DAI has not been swapped, bridged to another chain, or sent to a mixer like Tornado Cash. It is simply parked. That single fact shapes everything that happens next. A wallet that sits still is often a wallet whose owner is watching to see whether the protocol opens a whitehat negotiation, offering to let them keep a bounty in exchange for returning the rest. The moment the funds start hopping between addresses or hit a mixer, that window is usually closing. For anyone following this, the only metric that counts from here is on-chain movement of that DAI.

What is not yet known

We are deliberately not filling in the blanks the chain does not show. No full post-mortem has been published, so the precise root cause, whether a pricing or accounting flaw in the vault let the attacker withdraw more than they deposited, is not yet confirmed and we will not guess at it. The vault in question was one of the protocol's lower-risk USDC strategies, which is its own uncomfortable headline. Summer.fi's SUMR governance token, which lives on Base, is a small market (a fully diluted value under 2 million dollars on only a few thousand dollars of daily volume), so the token reaction is a footnote next to the 6 million dollars of user funds at stake.

What the chain confirms
  • about 6,016,755 DAI, near $6.0M, drained and now held in one wallet
  • the wallet also holds roughly 98,645 LVUSDC vault shares and 0.26 ETH
  • just four transactions, all on July 6, using a purpose-built exploit contract
What is not yet known
  • the exact root cause; no full post-mortem has been published
  • whether the funds are recoverable or whitehat negotiation is underway
  • where the DAI goes next, which is the single thing worth watching now

The lesson for DeFi users

Automated yield vaults concentrate a lot of deposits behind a single smart-contract surface, which is precisely what makes them efficient and what makes a single flaw so expensive. This is the second straight cycle where the dominant DeFi loss vector is contract and access-control exploits rather than volatility. The takeaways are the ones we repeat because they keep being right: understand that a "lower-risk" label describes market risk, not smart-contract risk; screen any protocol token and contract with the Token Safety Checker before you deposit; learn how these drains actually work in our guide to DeFi exploits; and if you are ever caught in one, our wallet-drained response guide walks through the first moves. We will update this piece as the funds move or a post-mortem lands.

Screen any token for safety →How DeFi exploits work →If your wallet is drained →

Methodology and disclaimer: the drained amount (6,016,755 DAI), the attacker wallet's holdings and its four transactions, the exploit contract and the 05:17 UTC timing were read on-chain from Ethereum via public block explorers on July 6, 2026, and reflect the state at the time of writing; funds may move at any point. The exploit detection and timing are as reported by Blockaid; SUMR market data is from GeckoTerminal. The root cause is not yet confirmed and no individual is identified; the attacker is referenced by wallet address only. This article is for information only and is not financial advice.