Summer.fi hacker launders $1M through Tornado Cash after $6M exploit

Summer.fi hacker launders $1M through Tornado Cash after $6M exploit

The attacker swapped stolen USDC for DAI, then ETH, routing funds through the privacy mixer in batches while tracing firms scramble to follow the trail

The hacker behind the $6.04 million Summer.fi exploit on July 6 has begun laundering stolen funds through Tornado Cash, converting the haul from stablecoins to ETH and sending it through the privacy mixer in chunks.

Approximately 6.017 million DAI, swapped from the originally stolen USDC, was converted into ETH and routed through Tornado Cash in batches of 10 ETH or larger. Tracing firms are actively monitoring the laundering activity, but the use of Tornado Cash complicates recovery efforts considerably.

How the exploit actually worked

The attack targeted two USDC vaults within the Lazy Summer Protocol, which Summer.fi serves as a front-end for. The lower-risk vault, LazyVault_LowerRisk_USDC, bore the brunt of the damage at $5.64 million stolen. The higher-risk vault lost a comparatively modest $0.40 million.

The attacker borrowed roughly $65 million in flash loans to execute the operation, but the actual vulnerability was far more mundane.

Advertisement

The root cause was an incomplete offboarding process for a strategy adapter, known as an Ark, that connected to Silo “Varlamore USDC Growth” tokens. The Ark had been flagged for issues previously and was in the process of being removed, but the offboarding was never fully completed.

The attacker had reportedly been preparing for months, stockpiling overvalued Silo tokens tied to past market events. By pre-positioning these tokens into the still-active but flawed Ark, they were able to manipulate the net asset value calculations of both vaults, essentially tricking the protocol into thinking assets were worth more than they actually were. Then the flash loans did the heavy lifting, amplifying the manipulation into a multi-million-dollar extraction.

Security firms PeckShield and CertiK both flagged the exploit during real-time monitoring.

The fallout for SUMR and Summer.fi

Summer.fi moved quickly after the attack, pausing all vault activities to prevent further losses. The protocol’s own post-mortem confirmed that this was an operational failure rather than a fundamental flaw in the smart contract code.

The native SUMR token dropped to approximately $0.00193 following the exploit, a decline of more than 5%.

The fact that the attacker is now actively laundering through Tornado Cash dims recovery prospects further. Once ETH passes through the mixer, connecting it back to the original theft becomes exponentially harder. Tracing firms are still following the money, but the window for meaningful recovery narrows with every batch that gets tumbled.

What this means for DeFi investors

The Summer.fi incident demonstrates that the space between “we decided to remove this strategy” and “we actually removed this strategy” can be worth $6 million.

Tornado Cash remains one of the most contentious tools in crypto, sanctioned by the US Treasury’s OFAC in 2022 but still operational on-chain. Every high-profile laundering event that runs through the mixer adds fuel to the regulatory argument for stricter controls on privacy tools, which could ripple out to affect legitimate privacy use cases across the ecosystem.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Summer.fi hacker launders $1M through Tornado Cash after $6M exploit

Summer.fi hacker launders $1M through Tornado Cash after $6M exploit

The attacker swapped stolen USDC for DAI, then ETH, routing funds through the privacy mixer in batches while tracing firms scramble to follow the trail

The hacker behind the $6.04 million Summer.fi exploit on July 6 has begun laundering stolen funds through Tornado Cash, converting the haul from stablecoins to ETH and sending it through the privacy mixer in chunks.

Approximately 6.017 million DAI, swapped from the originally stolen USDC, was converted into ETH and routed through Tornado Cash in batches of 10 ETH or larger. Tracing firms are actively monitoring the laundering activity, but the use of Tornado Cash complicates recovery efforts considerably.

How the exploit actually worked

The attack targeted two USDC vaults within the Lazy Summer Protocol, which Summer.fi serves as a front-end for. The lower-risk vault, LazyVault_LowerRisk_USDC, bore the brunt of the damage at $5.64 million stolen. The higher-risk vault lost a comparatively modest $0.40 million.

The attacker borrowed roughly $65 million in flash loans to execute the operation, but the actual vulnerability was far more mundane.

Advertisement

The root cause was an incomplete offboarding process for a strategy adapter, known as an Ark, that connected to Silo “Varlamore USDC Growth” tokens. The Ark had been flagged for issues previously and was in the process of being removed, but the offboarding was never fully completed.

The attacker had reportedly been preparing for months, stockpiling overvalued Silo tokens tied to past market events. By pre-positioning these tokens into the still-active but flawed Ark, they were able to manipulate the net asset value calculations of both vaults, essentially tricking the protocol into thinking assets were worth more than they actually were. Then the flash loans did the heavy lifting, amplifying the manipulation into a multi-million-dollar extraction.

Security firms PeckShield and CertiK both flagged the exploit during real-time monitoring.

The fallout for SUMR and Summer.fi

Summer.fi moved quickly after the attack, pausing all vault activities to prevent further losses. The protocol’s own post-mortem confirmed that this was an operational failure rather than a fundamental flaw in the smart contract code.

The native SUMR token dropped to approximately $0.00193 following the exploit, a decline of more than 5%.

The fact that the attacker is now actively laundering through Tornado Cash dims recovery prospects further. Once ETH passes through the mixer, connecting it back to the original theft becomes exponentially harder. Tracing firms are still following the money, but the window for meaningful recovery narrows with every batch that gets tumbled.

What this means for DeFi investors

The Summer.fi incident demonstrates that the space between “we decided to remove this strategy” and “we actually removed this strategy” can be worth $6 million.

Tornado Cash remains one of the most contentious tools in crypto, sanctioned by the US Treasury’s OFAC in 2022 but still operational on-chain. Every high-profile laundering event that runs through the mixer adds fuel to the regulatory argument for stricter controls on privacy tools, which could ripple out to affect legitimate privacy use cases across the ecosystem.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.