Attackers exploited Lazy Summer season Protocol’s USDC vaults, extracting $6.04 million by manipulating asset values, affecting depositors’ capital
The exploit was made attainable by tokens left mispriced on the blockchain after Stream Finance’s collapse, permitting attackers to inflate vault values
Restoration is troublesome, with $4 million in depositor capital excellent, and the protocol’s DAO should vote on compensation and unpausing the vaults
The roughly $6.04 million drained from Lazy Summer season Protocol’s USDC vaults on July 6 was not the results of a coding bug or a stolen key, in keeping with a confirmed autopsy — it was a delayed act of contagion, made attainable by tokens that November’s Stream Finance collapse had left mispriced on the blockchain for eight months.
A confirmed exploit, powered by a ghost
The incident noticed an attacker extract about $6.04 million from two vaults on Ethereum in a single atomic transaction — roughly $5.64 million from the lower-risk USDC vault and $0.40 million from the higher-risk one. The Lazy Summer season Basis and Summer season.fi, the protocol’s entrance finish, have since published an in depth autopsy whose on-chain evaluation was independently reproduced by a number of contributors towards the transaction hint and contract supply.
The mechanism was net-asset-value manipulation. Lazy Summer season’s automated vaults derive their share worth from the entire worth reported by a set of underlying technique adapters referred to as “Arks.” Crucially, an Ark credit any tokens transferred straight into it at its personal valuation.
The attacker exploited that by donating a badly overvalued token into an Ark that was nonetheless counted within the vault’s worth—inflating the vault’s reported worth by about 9.5% with nothing actual behind it—then redeeming their shares on the inflated worth, with the payout assembled from the vault’s genuinely liquid belongings, that means different depositors’ capital. The protocol’s personal contracts, the autopsy stresses, had been verified and behaved precisely as written. The failure was not within the code however in a course of: an impaired market had been left priced into the vault whereas it awaited elimination.
The Stream Finance thread
The over-valued token on the heart of all of it is the place the story reaches again in time. The asset the attacker donated was a Silo “Varlamore USDC Development” vault token—and people tokens had been carrying a stale on-chain worth ever because the November 2025 collapse of Stream Finance. That failure, triggered by a $93 million loss disclosed by an exterior fund supervisor, crashed Stream’s xUSD token by 77% and uncovered an estimated $285 million in interconnected debt throughout protocols together with Euler, Silo, and Morpho.
Within the wreckage, sure Silo market tokens tied to that ecosystem had been left reporting a price that was by no means marked all the way down to replicate actuality, whilst curiosity stored accruing on stranded USDC.
That stale valuation was the load-bearing situation for the complete exploit. As a result of the tokens nonetheless registered close to their unique value whereas being value a fraction of it, an attacker who gathered them held an asset the vault’s accounting would drastically overvalue.
The autopsy describes an operation deliberate no less than three months upfront, with wallets funded via a typical path in early April and used over subsequent weeks to construct the stale-token place throughout a number of addresses to obscure the buildup. This was deliberate and affected person, not opportunistic—the flash mortgage that provided roughly $65 million of stablecoin liquidity for the ultimate transaction was merely the set off on a weapon assembled over months.
The precise hole the attacker slipped via is a refined however instructive one. The compromised Ark had already had its deposit cap set to zero as a part of an offboarding course of meant to retire it after the 2025 turmoil. However zeroing the cap solely blocks new inflows; it doesn’t take away the Ark from the set of markets counted within the vault’s worth. That left the impaired, manipulable market nonetheless influencing the share worth in the course of the window between deactivation and full elimination—the publicity the autopsy identifies because the true root trigger.
Response, restoration, and the lesson
The protocol’s emergency equipment labored as designed, even when it couldn’t undo an assault that accomplished in a single transaction. The incident marked the primary live-exploit use of Lazy Summer season’s Guardian Module, a narrowly scoped, community-controlled multisig that may solely pause vaults, zero deposit caps, and cancel dangerous governance proposals—it can not transfer consumer funds.
Working from the safety alerts, the Guardians paused each vault throughout Ethereum, Base, Arbitrum, and Sonic as a precaution, whereas Block Analitica froze deposits and the incident-response collective SEAL 911 was engaged to hint the funds. The Basis later swept the stale donated tokens out of the affected vault to cease them from distorting the displayed worth. The response was swift and, per the autopsy notes, prevented copycat assaults on different vaults—however it got here after the harm was completed.
Restoration now seems troublesome. The attacker swapped the proceeds into DAI and routed a portion via Twister Money, the on-chain mixer, a transfer the staff reads as signaling restricted intent to return the funds and one which breaks direct tracing. The protocol has printed the attacker’s addresses so exchanges can flag related exercise. Roughly $4 million in depositor capital stays excellent within the vaults, a lot of it now illiquid, and the way or whether or not affected customers are made complete is now a matter for Lazy Summer season’s DAO, which should vote on unpausing the vaults, returning the remaining capital, and whether or not to exclude the exploiter’s shares from any settlement.
Compensation, the postmortem is evident, is an undecided governance query. The protocol’s SUMR token traded close to $0.00193 within the aftermath, down about 5.3%.
The broader lesson transcends one protocol. The exploit is a reminder that in composable DeFi, a collapse is rarely totally over: the mispriced particles it leaves behind can sit dormant on-chain for months, ready for somebody affected person sufficient to show it right into a weapon. The repair Lazy Summer season factors to is procedural—by no means go away an impaired market priced right into a vault longer than vital—however the deeper publicity is systemic, and it belongs to each protocol nonetheless carrying the ghosts of final yr’s failures on its books.
Additionally Learn: ATM Token Exploit Drains $243K Through Hidden Swap Loophole
Disclaimer: The knowledge researched and reported by The Crypto Occasions is for informational functions solely and isn’t an alternative choice to skilled monetary recommendation. Investing in crypto belongings entails vital danger resulting from market volatility. At all times Do Your Personal Analysis (DYOR) and seek the advice of with a professional Monetary Advisor earlier than making any funding choices.





