On a quiet Thursday afternoon, Blockaid's monitoring system flagged an anomaly: a series of transactions flowing through Summer.fi — a leverage protocol built on MakerDAO and Lido — that didn't just bend the rules, but shattered them. The outcome? A $6 million drain of user assets. The finding was not merely a reentrancy or a price oracle manipulation — though both may have played a role. What Blockaid reported was something more fundamental: a composite smart contract risk. The term felt clinical, but its implications are anything but. In bear markets, where survival matters more than gains, this kind of failure isn't just a technical bug — it's a story of how complexity undermines trust. We don't just track trends; we hunt their origins. Today, we’re hunting the origin of the composite risk that turned a promising protocol into a forensic exhibit.
To understand composite risk, we need to rewind to 2017. I had just left my quantitative hedge fund in Boston to join Gnosis as an operational analyst. I wasn't drawn to their prediction markets — I was obsessed with the multi-signature wallet prototype, Safe. I spent months auditing transaction hashes on the testnet, discovering a critical edge-case vulnerability in the fallback logic. That experience taught me a principle I've carried ever since: security is the canvas; liquidity is the paint. The structure of trust must be woven into the code before any capital flows through it. But in the years since, DeFi has evolved away from that ideal. Platforms like Summer.fi don't build single contracts; they compose multiple protocols — each with its own governance, its own upgrade schedule, its own hidden fault lines. Composite risk is the inevitable price of that ambition.
Summer.fi operates as a leverage and automation layer on top of MakerDAO's Vaults and Lido's staked ETH. Users can deposit collateral, borrow stablecoins, and then recycle that borrowed capital into further leveraged positions — all within a single interface. It’s elegant, efficient, and dangerous. The composite risk here arises from the interaction between three independent systems: Summer.fi's own smart contracts (which manage positions), Maker's DSR (Dai Savings Rate) and liquidation engines, and Lido's stETH/ETH exchange rate mechanism. An attacker does not need to break any single contract; they only need to exploit the alignment between them. Think of it as musical chairs where the chairs are constantly moving, and the only rule is that the music never stops. The $6 million loss was not a bug in a single line of code — it was a bug in the choreography.
While the full post-mortem is still under wraps, the forensic pattern suggests a classic composite vector. Let me walk you through my hypothesis, based on years of analyzing such exploits.

Step 1: Manipulate the oracle input. The attacker used a flash loan to artificially inflate the price of an illiquid collateral asset on a DEX. This created a discrepancy between Summer.fi's internal valuation (which relied on a time-weighted average or a pair of oracles) and the real market price.

Step 2: Exploit the leverage loop. With collateral now overvalued, the attacker borrowed the maximum amount from Summer.fi's lending pool — drawing from Aave's or Maker's liquidity through Summer.fi's integration. Because the platform's contracts automatically rebalance based on the inflated price, the attacker could withdraw more than their actual collateral justified.
Step 3: Trigger liquidation of the inflated collateral. As the flash loan was repaid and prices normalized, the collateral value dropped, triggering automatic liquidations. But the attacker had already guided those liquidations to favor their own positions — buying back the discounted assets through their own front-running transactions.
The beauty — and horror — of this attack is that no single component failed. The DEX operated as designed. MakerDAO's liquidation engine ran normally. Summer.fi's auto-leverage logic executed per spec. Yet together, they created a state-dependent inconsistency that could be exploited. This is the composite risk that most audits miss, because auditors check each module in isolation. They don't simulate the full combinatorial explosion of interactions.
Finding the human heartbeat inside the cold code. When I co-founded “Liquidity Lore” back in 2020, I built a scraper that mapped social media sentiment against TVL growth. We discovered that narrative velocity preceded price discovery by 48 hours. Today, the narrative velocity around Summer.fi is screaming one word: retreat. In the 72 hours after the exploit, on-chain data from DeFiLlama shows TVL dropped from approximately $220 million to $140 million — a 36% outflow. That's not just panic; it's a structural loss of trust. The story of “alpha yield aggregation” has flipped to “aggregation of single points of failure.” This is exactly what I warned about in my Terra/Luna post-mortem series: when a narrative decays, it pulls down the entire fabric of trust. You can't patch a story with a smart contract upgrade.
Now let’s go against the grain. The immediate response from many commentators will be “better audits” or “more formal verification.” I disagree. Auditing is necessary but insufficient for composite risk. The state space of a three-protocol interaction is so vast that no static analysis tool can cover it all. The true contrarian insight here is that the only way to eliminate composite risk is to eliminate composability itself — at least in its current form. That doesn’t mean DeFi should become walled gardens; it means we need a new paradigm: context-aware execution environments that enforce invariants across protocol boundaries. Think of it as a virtual machine that can observe and constrain the combined state of multiple contracts. This is where technologies like flashbots' SUAVE or zk-rollups with cross-domain programmability might evolve. But today, the most pragmatic contrarian take is harsh: if you can't understand every line of code your protocol depends on, you shouldn't put money at risk in a bear market. The exit is easy; the narrative is the hard part.
The larger implication for the industry is uncomfortable. When I spent six months interviewing institutional portfolio managers in Boston for my “Institutional Translation Layer” report, the most common question was: “How do you ensure that this protocol won’t be hacked tomorrow?” I would answer with technical details about audits, bug bounties, and insurance. But after Summer.fi, I have to add a new answer: We don't ensure. We accept risk. That's not what institutions want to hear. The BlackRock ETF thesis assumes Bitcoin is digital gold — a simple, immutable store of value. But DeFi's entire promise is complexity and automation. These two narratives are on a collision course. The Summer.fi hack is a canary in the coal mine: if the composite risk isn't addressed, institutional capital will retreat to Bitcoin and simple Ethereum holdings, leaving the DeFi corridor to retail gamblers.
Let's zoom out to the macro narrative. In bear markets, capital seeks shelter. The default move is to pull liquidity from complicated, high-leverage protocols back to the basics: ETH, stETH, maybe a simple lending pool. The future narrative I see emerging is one of hardened composability — where protocols sign explicit “safe interaction agreements,” or where execution is sandboxed and monitored by decentralized watchtowers. The project that solves composite risk will own the next cycle. Until then, the advice I give my own fund is ruthless: audit the audit. For any protocol you touch, list every external contract it calls. Then ask yourself: if any one of those contracts is compromised, can I still sleep? If the answer is no, don't interact.
This article began with a hack, but it ends with a question: what are you building your trust on? Security is the canvas; liquidity is the paint. But composite risk is the crack that forms when the canvas is stitched together from too many pieces. We don't just track trends; we hunt their origins. The origin of this $6 million loss was not a single code bug — it was a failure of imagination about what could go wrong when multiple systems dance together. The next time a protocol promises leveraged yield, ask not just where the yield comes from, but where the risks hide. Find the human heartbeat inside the cold code. And remember, the exit is easy; the narrative is the hard part.