Get advice from AML Crypto experts
On July 6, 2026, at 05:17:59 UTC, the attacker executed a single atomic transaction on the Ethereum network, as a result of which two USDC vaults of the Lazy Summer Protocol - Lower Risk and Higher Risk - lost approximately $6.04 million of depositors' funds. The attacker artificially inflated the value of the vault shares using overvalued Silo Varlamore tokens and then drained real liquidity from the protocol's other positions.

The AML Crypto team reconstructed the movement of the stolen funds in Bholder.
  • Victim:
    Lazy Summer Protocol (Summer.Fi platform)
  • Background:
    Summer.fi is a DeFi platform that by 2026 had focused on developing the Lazy Summer Protocol - an onchain protocol of automated yield vaults. Users deposit assets, such as USDC, into so-called Lazy Vaults, after which the protocol allocates liquidity across pre-approved DeFi strategies and, when necessary, rebalances positions to generate yield in line with a defined risk level. The individual capital allocation destinations within the system are called ARKs.

    Previously, Summer.fi also offered the Summer.fi Pro service for lending, borrowing, and managing positions in third-party protocols. However, as of February 12, 2026, that interface was switched to view-only mode, and management of such positions was migrated to DeFi Saver. Since then, the Lazy Summer Protocol has become Summer.fi's core product.
  • Incident date: 
    2026-07-06 05:17:59 UTC
  • Incident summary:
    The attacker took advantage of the fact that one of the investment modules being decommissioned - an Ark - was still included in the value calculation of two Lazy Summer USDC vaults.

    The attacker had purchased in advance nearly worthless Silo Varlamore tokens, which the system continued to value significantly above their real worth. He then took out a flash loan of approximately $65 million, deposited USDC into the vaults, and transferred the overvalued tokens directly into the problematic Ark. As a result, the protocol mistakenly concluded that the value of the vault's assets had risen sharply, and the price of its shares increased accordingly.

    The attacker then redeemed his shares at the artificially inflated price. The payout was made not in the problematic tokens but in genuine liquid USDC belonging to depositors. Having received the funds, the attacker repaid the flash loan and kept approximately $6.04 million in profit. The entire operation affected two USDC vaults and was executed within a single transaction.

Actions taken as of the time of writing

As of July 10, 2026, the following measures had been taken after the attack:
  • The attacker's addresses were labeled in blockchain analytics systems. AML Crypto also identified and labeled the attacker's main address, the contract used to carry out the attack, and the addresses associated with them.
  • Information about the addresses was submitted to IDM. Details of the attacker's addresses and related transactions were sent to the system for further monitoring and response.
  • New deposits into the affected vaults were halted. Approximately an hour and a half after the attack, Block Analitica set zero deposit caps on the two affected USDC vaults.
  • Operation of the Lazy Summer Protocol vaults was suspended. The Guardian Multisig paused the vaults on the Ethereum, Base, Arbitrum, and Sonic networks to rule out a repeat of the attack through a similar Ark configuration. On HyperEVM, the pause via the Guardian did not go through due to the absence of the required role, but deposit caps there had already been set to zero.
  • SEAL 911 was brought into the investigation. Specialists began working with Summer.fi to analyze the attack mechanics and trace the origin of the funds used by the attacker. Blockaid, CertiK, PeckShield, Cyvers, and other teams also participated in or assisted with the investigation and tracing.
  • An attempt was made to contact the attacker. An onchain message was sent to the attacker from the Lazy Summer Protocol deployer address offering to establish contact. There is no public confirmation of a response from the attacker.
  • The overvalued tokens were removed from the vault value calculation. The Lazy Summer Foundation transferred the Silo Varlamore tokens from the Lower-Risk USDC Vault to its multisig. This eliminated the artificial distortion of the displayed asset value and share price.
  • Tracking of the stolen funds continued. The attacker's address and the exploit contract were published so that exchanges, analytics services, and other market participants could flag related activity. Meanwhile, part of the funds was moved through an intermediary address into Tornado Cash, which significantly complicated further onchain tracing.
  • Users were notified via the Summer.fi interface. The interface displayed information about the protocol suspension and the incident status. The team also stated that the internal technical investigation was ongoing, the root cause of the attack was being confirmed, and data was being prepared for DAO decisions.
  • The DAO began considering next steps. The items put up for discussion included the conditions for resuming operation of the unaffected vaults, the procedure for returning the remaining capital to users, and the possible exclusion of the attacker's shares from future calculations. At the time of publication, no final decision on compensation had been made.
Communication with the attacker:
Information related to the exploit of the USDC Vault on the Lazy Summer Protocol Jul-6-2026 05:17 UTC. This is the Summer deployer address. Can we discuss over Blockscan Chat. [link]

List of services the attacker interacted with

Stargate
  • Nature of the connection:
    direct, with the second address involved in laundering the stolen funds.
  • Reason for the request: 
    every Stargate cross-chain operation is linked to a transaction on the source network and a payout transaction on the destination network. In addition, the Stargate interface allows the user to specify an arbitrary recipient address. Accordingly, information about the relevant operations may make it possible to establish the source blockchain network, the wallet address from which the funds were deposited, the source TxIDs, the LayerZero GUID, the user-specified recipient address, and a possible refund address. We also request information about other operations linked to the same source address and any available technical details about the initiator of the transfers.
  • Contact:
    notices@stargate.finance. This address is specified in Stargate's official Terms of Use for legally significant notices and requests.
Uniswap
  • Nature of the connection:
    direct, with both addresses involved in the exploit.
  • Reason for the request: 
    the identified transactions may have been initiated through the official Uniswap web interface, Uniswap Wallet, or the Uniswap Labs API. According to the Privacy Policy, when a non-custodial wallet is connected, Uniswap Labs records the wallet's public address and may collect limited technical information, including localStorage data, mobile device ID, cookies, browser type and version, operating system, device or browser language, and referring/exit pages.
  • Contacts: 
    Official and legal requests: legal@uniswap.org
    Support requests: support@uniswap.org
    Data storage and processing inquiries: privacy@uniswap.org
    Request form: https://support.uniswap.org/hc/en-us/requests/new
    Mailing address: Universal Navigation, Inc., 228 Park Ave S, PMB 44753, New York, NY 10003, USA.
Curve Fi
  • Nature of the connection:
    direct, with one of the addresses involved in the exploit and with an address used in laundering the stolen funds.
  • Reason for the request:
    the identified operations may have been initiated through the official Curve Finance web interface. According to Curve's current Privacy Policy, use of the site may involve the collection of the IP address, information about the device's operating system, cookies, referrer URL, volume of data transferred, pages visited, browser type and version, internet service provider, protocols used, and other technical information.
  • Contacts:
    enquiries@curve.fi — the primary address specified in Curve's current Terms and Privacy Policy for official requests and data processing inquiries.
    security@curve.finance — the official contact for security matters and urgent incident escalation.
FixedFloat
  • Nature of the connection:
    direct. The FixedFloat hot wallet 0xba3fe475f4617944c6e56d33cd7c2a841aaa8bca provided liquidity on the Base network to the addresses 0x34b5f9478fc7bc8c3f065d940afd5cae1890387b and 0x5864a889076b9b4d2929f2e7b990c8076eea3c3c, presumably controlled by the attacker. The funds received were subsequently sent to Gas.zip and used to fund the fees of the addresses involved in preparing and carrying out the Lazy Summer Protocol exploit.
  • Reason for the request:
    according to its Privacy Policy, FixedFloat automatically collects the IP address, browser type, internet service provider, referring/exit pages, date and time of visit, cookies, log files, tags, and pixels. We therefore also request IP addresses, timestamps, browser and ISP data, cookie and session identifiers, device information, support request history, and information about other orders linked to the same technical identifiers, addresses, or contact details.
  • Contacts:
    legal@fixedfloat.com — law enforcement requests;
    compliance@fixedfloat.com — AML/compliance matters and suspended transactions;
    help@fixedfloat.com — requests from crime victims;
    support@fixedfloat.com — general inquiries and support.
Gaz Zip
  • Nature of the connection:
    direct. The addresses 0x34b5f9478fc7bc8c3f065d940afd5cae1890387b and 0x5864a889076b9b4d2929f2e7b990c8076eea3c3c, presumably controlled by the attacker, sent ETH to the Gas.zip deposit address 0x2a37D63EAdFe4b4682a3c28C1c2cD4F109Cc2762. After the deposits were processed, the Gas.zip hot wallet 0x5babe600b9fcd5fb7b66c0611bf4896d967b23a1 transferred ETH to five addresses used to accumulate Silo Varlamore tokens: 0xd39d1733a03f940ce47cec8982e45e6964d29fa1 0xe5bff5a3752d48606d5f4ff19954138fe5e656b1 0x11946f3bb1e67b8f4e50cb01ea1fba7cec7ac60e 0x14ec7a28c020283eb53f302e8dbcc025cb49baf8 0x341a58a1ad7aa1fee212719b0c2d8e4c8e0fd195 The accumulated tokens were subsequently transferred to the exploit contract 0x0514f827c129c16418a0933e03c99a6af982fc61 and used in the exploitation of the Lazy Summer Protocol.
  • Reason for the request: 
    the Gas.zip service was used to distribute funds to addresses directly involved in preparing the exploit. According to Gas.zip's technical documentation, a deposit transaction contains calldata specifying the destination networks and the recipient address, and the recipient address may differ from the address that made the deposit. Consequently, Gas.zip's internal data may make it possible to match incoming deposits with outgoing payouts, identify the networks and destination addresses selected by the user, and reveal other operations performed by the same initiator.
  • Contact for official requests:
    privacy@gas.zip - the official address for requests concerning personal data and technical information.

Timeline of events

  • Stage 0: Accumulation of Silo Varlamore tokens
2026-03-30 9:31:23
2026-03-30 9:31:23
withdrawal of Silo Varlamore tokens (accumulation) to the address 0x11946f3bb1e67b8f4e50cb01ea1fba7cec7ac60e 
from 2026-03-30 2:39:35 to 2026-03-30 3:59:35
from 2026-03-30 2:39:35 to 2026-03-30 3:59:35
withdrawal of Silo Varlamore tokens (accumulation) to the address 0x14ec7a28c020283eb53f302e8dbcc025cb49baf8 
2026-04-09 4:06:35
2026-04-09 4:06:35
withdrawal of Silo Varlamore tokens (accumulation) to the address 0xe5bff5a3752d48606d5f4ff19954138fe5e656b1 
2026-04-09 4:18:11
2026-04-09 4:18:11
withdrawal of Silo Varlamore tokens (accumulation) to the address 0xd39d1733a03f940ce47cec8982e45e6964d29fa1
2026-04-09 12:00:11
2026-04-09 12:00:11
withdrawal of Silo Varlamore tokens (accumulation) to the address 0x341a58a1ad7aa1fee212719b0c2d8e4c8e0fd195
  • Stage 1: Withdrawal of funds from FixedFloat to pay fees and carry out the exploit
2026-04-06 15:43:35
2026-04-06 15:43:35
withdrawal of funds from the FixedFloat hot wallet to the attacker's affiliated address 
2026-04-06 15:46:25
2026-04-06 15:46:25
transfer of funds to the Gas.zip service to further fund the address holding Silo Varlamore tokens 
2026-04-06 15:55:25
2026-04-06 15:55:25
transfer of funds to the Gas.zip service to further fund the address holding Silo Varlamore tokens 
2026-04-06 16:00:27
2026-04-06 16:00:27
transfer of funds to the Gas.zip service to further fund the address holding Silo Varlamore tokens 
2026-04-06 16:13:01
2026-04-06 16:13:01
transfer of funds to the Gas.zip service to further fund the address holding Silo Varlamore tokens 
2026-04-06 16:59:59
2026-04-06 16:59:59
withdrawal of funds from the FixedFloat hot wallet to the attacker's affiliated address 
2026-04-09 01:56:37
2026-04-09 01:56:37
transfer of funds to the Gas.zip service to further fund the address holding Silo Varlamore tokens
  • Stage 3: Exploit
2026-07-06 5:17:23
2026-07-06 5:17:23
transfer of Silo Varlamore tokens to the main exploiter address 
2026-07-06 5:17:59
2026-07-06 5:17:59
exploit
  • Stage 4: Laundering of the stolen tokens
2026-07-06 5:17:59
2026-07-06 5:17:59
transfer of funds to the exploiter's second address 
from 2026-07-07 1:38:59 to 2026-07-07 3:47:47
from 2026-07-07 1:38:59 to 2026-07-07 3:47:47
transfer of tokens to Uniswap 
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
transfer of tokens to the smart contract 0x824cb092b6f1dad5bf95b315250479fb38ef069a 
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
transfer of tokens to Uniswap
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
from 2026-07-08 4:56:47 to 2026-07-09 3:06:11
transfer of tokens to the address 0x46e09c4d4d20c0474598b4d2ffdd08bdf416eba7 
from 2026-07-07 01:56:35 to 2026-07-09 03:16:47
from 2026-07-07 01:56:35 to 2026-07-09 03:16:47
transfer of tokens to Tornado Cash

Analyst notes

  • The FixedFloat connection is one of the most significant points for establishing the attacker's identity. The funds withdrawn from the FixedFloat hot wallet to the addresses 0x34b5f9478fc7bc8c3f065d940afd5cae1890387b and 0x5864a889076b9b4d2929f2e7b990c8076eea3c3c were subsequently used to fund the infrastructure involved in preparing the exploit. Obtaining data from FixedFloat on the relevant exchange orders - incoming deposit addresses, source assets and networks, IP addresses, timestamps, cookie and session identifiers, device information, and related operations - may make it possible to establish the original source of funds and identify other addresses controlled by the same person.
  • Gas.zip served as the link between the initial funding and the addresses where Silo Varlamore tokens were accumulated. Through the service, funds were distributed to at least five addresses, which later transferred the accumulated tokens to the exploit contract. Gas.zip's internal data may make it possible to match incoming deposits with specific payouts, determine the networks and destination addresses specified by the user, and identify other operations linked to the same wallet, IP address, device, session, or browser fingerprint.
  • The timeline points to advance, coordinated preparation of the attack. The accumulation of Silo Varlamore tokens and the funding of the related addresses began no later than late March - early April 2026, while the exploit itself was carried out on July 6, 2026. The significant time gap between the preparatory operations and the attack may indicate prior study of the protocol's mechanics, gradual accumulation of the necessary assets, and deliberate division of functions among multiple addresses.
  • The Stargate transfers, despite their relatively small amounts, may have high identification value. Cross-chain operations make it possible to trace not only the payout on the destination network but also the associated transaction on the source network. Obtaining data on the source chain, the source TxID, the LayerZero GUID, the initiator's address, and the refund address may lead to a previously unidentified wallet of the attacker and expand the cluster under investigation. The small size of the transfers does not diminish their significance, since such operations may have been used solely for the initial funding of fees.
  • The interactions with Uniswap and Curve Finance are additional potential sources of technical attribution. If the operations were conducted through the official interfaces, the operators may have retained technical logs linked to the attacker's addresses: timestamps, browser and device information, cookies, session identifiers, referrer URLs, and other data. However, interaction with the smart contracts alone does not prove use of the official web interface, so the corresponding requests should take this caveat into account.
  • Preliminary analysis of Tornado Cash did not conclusively identify the further recipients of the stolen funds.Potential exits matching certain timing and behavioral patterns were identified, but the available data is insufficient for confident attribution. To improve accuracy, it is necessary to continue monitoring exits, compare denominations, time intervals, the sequence of subsequent transfers, and the networks and services used, as well as analyze recurring behavioral patterns of potential recipients. Until additional confirmation emerges, such addresses should be treated only as probable, not established, exits of the attacker.
  • The totality of the established connections forms a coherent chain of preparation and execution of the attack: obtaining the initial funding through FixedFloat, distributing funds through Gas.zip, accumulating Silo Varlamore tokens on separate addresses, consolidating them on the exploit contract, executing the atomic transaction, and subsequently moving the funds through DEXes, cross-chain protocols, and Tornado Cash. At the same time, while onchain analysis confirms the movement of funds and the links between the addresses, establishing the identity of the person controlling them requires obtaining offchain data from the services involved.
  • Incident conclusion
    The attack on the Lazy Summer Protocol was a premeditated and technically sophisticated operation. Over several months, the attacker accumulated Silo Varlamore tokens, funded related addresses, and prepared the infrastructure, and then used a single atomic transaction to artificially inflate the share price of two USDC vaults and drain approximately $6.04 million of real liquidity.

    Onchain analysis shows a consistent link between the initial funding addresses, the FixedFloat and Gas.zip services, the token accumulation addresses, the exploit contract, and the main beneficiary address. This makes it possible to treat these wallets as a single functional cluster used to prepare, execute, and subsequently conceal the traces of the attack.

    The most promising sources for further attribution are the offchain data of FixedFloat, Gas.zip, and Stargate: information about exchange orders, source deposits, cross-chain transactions, IP addresses, devices, sessions, and related operations. This data may help establish the original source of funds, additional addresses, and the possible identity of the attacker.

    After the exploit, the funds were moved through Uniswap, Curve Finance, Stargate, and Tornado Cash. The use of decentralized protocols and a mixer significantly complicated further tracing, but certain timing, amount, and behavioral patterns retain analytical value.

Attacker addresses

Transactions affiliated with the exploit

Want to learn more and get expert advice? Leave your email and we will contact you promptly!
We also recommend