Recently, sophisticated hackers exploited vulnerabilities in the AI automation and smart contracts of the DeFi platform ‘SummerFi’, making off with approximately $6m USDC. The platform has now paused all vaults as a result.
The Summer.fi team has launched a full investigation into the root cause alongside blockchain security firms. Initial findings suggest the attacker had been planning the exploit for months. They took out a sizeable ‘flash loan’ in USDC, moved funds between the ‘Fleet Commander’ contract and the ‘Ark’ strategy contract to carry out an “ERC-4626 donation attack”, and then swiftly swapped the USDC into DAI before transferring it to a private wallet.
In my view, the hacker was extremely cunning. By converting the stolen assets into a decentralised stablecoin before moving them, they avoided the risk of seizure. Had the funds remained in USDC, Circle could have frozen them. However, MakerDAO/Sky — the team behind DAI — have no mechanism to intervene with DAI held in a specific wallet, even if they wished to. These days, hackers commonly use cross-chain bridges or crypto mixers to shift funds to brand-new, “clean” wallet addresses, making them incredibly difficult to trace.
As expected, Summer.fi’s native governance token, SUMR, dropped by more than 18% in the immediate aftermath of the hack. The team is now closely monitoring liquidity to stabilise the situation. Pools on other blockchain networks have also been secured by activating the protocol’s ‘Emergency Guardians’ to prevent further losses.
We’ll have to wait and see what happens next.