Reproduced Exploit
Summer.fi FleetCommander — NAV Inflation via Empty-Ark Donation of Undervalued vgUSDC
1. Summer.fi Lazy Summer FleetCommander prices shares from the sum of each ark's totalAssets() with no smoothing, donation resistance, or empty-ark gate.
Loss
~5.60M DAI reproduced on FleetA (5597682112787981084159961 wei); full incident ~6.02M incl. FleetB
Chain
Ethereum
Category
defi
Date
Jul 2026
EVM Playground
Source-level debugger — step opcodes and Solidity in sync
The attack is replayed in an in-browser EVM preloaded with the exact dumped fork state. Step by Solidity line or by opcode across all call depths; the source line, Stack, Memory, Storage, Transient storage and Return value stay in sync. Click any opcode or source line to jump. No backend, no live RPC.
Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2026-07-SummerFi_exp in the
evm-hack-registrymirror. Upstream DeFiHackLabs PoC:src/test/…/SummerFi_exp.sol.
Vulnerability classes: vuln/defi/donation-attack · vuln/oracle/price-manipulation · vuln/defi/flash-loan-attack
Reproduction: offline Foundry project at this folder. Trace: output.txt. Sources: FleetCommander, SiloManagedVaultArk, SiloVault / vgUSDC.
Key info#
| Loss | ~5.60M DAI reproduced on FleetA (5597682112787981084159961 wei); full incident ~6.02M incl. FleetB |
| Vulnerable contract | FleetCommander A — 0x98C49e13bf99D7CAd8069faa2A370933EC9EcF17 |
| Empty ark | SiloManagedVaultArk — 0x61d7063041d83C8ca3E42c39181dFd14B3Bc76c2 |
| Undervalued vault | Silo vgUSDC — 0x8399C8Fc273bD165C346Af74A02e65f10e4FD78F (counts depegged xUSD at par) |
| Attacker | 0x7BF716167B48CF527725722C6d79494b45B3BDCa |
| Attack contract | 0x0514F827C129C16418a0933E03C99A6AF982FC61 |
| Attack tx | 0x0db528c44f23fc7fa4544684a2fab81096450a14aae8bc89f42cd0592d43da12 |
| Chain / block | Ethereum / 25,471,347 / July 2026 |
| Bug class | Fleet NAV = live sum of ark totalAssets() with no manipulation guard; donating cheap vgUSDC into an empty ark inflates share price for a dominant depositor who then redeems against other LPs |
TL;DR#
-
Summer.fi Lazy Summer
FleetCommanderprices shares from the sum of each ark'stotalAssets()with no smoothing, donation resistance, or empty-ark gate. -
One FleetA ark was a SiloManagedVault pointing at Silo vgUSDC, which still valued depegged Stream xUSD collateral near par. That made vgUSDC mintable far below the value the fleet would later attribute to it.
-
Attack (Morpho flash USDT + USDC):
- Force liquidity out of Morpho-backed VaultV2 arks (
forceDeallocate) so the later redeem can be served. - Mint cheap vgUSDC: USDT → xUSD (Uniswap V4) → vgUSDC (Balancer V3).
- Deposit a dominant FleetA position at honest NAV (~64.8M USDC path).
- Donate the cheap vgUSDC into the empty SiloManagedVault ark → Fleet NAV jumps.
- Redeem inflated shares → drain other LPs' USDC.
- Convert surplus USDC → DAI via Curve 3pool; repay Morpho.
- Force liquidity out of Morpho-backed VaultV2 arks (
-
Reproduced profit: 5,597,682.11 DAI (output.txt); PoC asserts
> 5_000_000e18. Remaining ~0.4M of the public 6.02M figure came from a second fleet leg not in this PoC.
Root cause#
Fleet share price ∝ Σ ark.totalAssets()
empty ark accepts raw vgUSDC donation → totalAssets jumps
no max deposit / no virtual offset / no same-block NAV freeze
attacker holds majority shares minted pre-donation → redeems post-donation at inflated price
Compounded by vgUSDC treating depegged xUSD as full-value collateral (oracle/asset-quality failure in the Silo vault).
Attack flow#
Recommendation#
- Ignore empty arks (or require governance activation) until they have verified strategy deposits.
- Use manipulation-resistant NAV (internal accounting, not raw token balances in arks).
- Same-block / same-tx deposit+redeem guards; max share of supply per deposit.
- Ensure underlying vaults (vgUSDC) do not value depegged collateral at par.
References#
- Attack tx: https://etherscan.io/tx/0x0db528c44f23fc7fa4544684a2fab81096450a14aae8bc89f42cd0592d43da12
- Upstream PoC notes in
test/SummerFi_exp.sol
Sources & further analysis#
Reproductions & code
- Standalone PoC + full trace: 2026-07-SummerFi_exp (evm-hack-registry mirror).
- Upstream DeFiHackLabs PoC:
SummerFi_exp.sol. - Attack transaction: view on explorer.
Alerts & third-party analyses
- DeFiHackLabs incident explorer: search "Summer.fi FleetCommander".
- Web3Sec X hacked database: search.
- Rekt leaderboard: search.
- Solodit incident search: search.
These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.