[RFC] Next steps for exploited USDC Vaults on Ethereum

1. Summary:

On July 6, 2026, an attacker manipulated the share price of two Lazy Summer Protocol USDC vaults on Ethereum mainnet and extracted approximately $6.04 million of depositor value in a single atomic transaction.

This RFC is to discuss the next steps with a primary focus on how to enable the redemption of the remaining USDC for affected users in the Vaults. As this is a fully decentralised protocol, it is up to the DAO to choose the next course of action.

The total losses amounts are;

  • Lower Risk USDC (0x98c…): Total loss: 5,639,356.94 USDC (58.26%)
  • Higher Risk USDC (0xe9c…): Total loss: 204,155.85 USDC (42.29%)

This proposal will outline different ways the redemption can be done, with some options that delegates will need to decide upon.

A full post mortem of the exploit is available here: Lazy Summer USDC Vault Exploit Post-Mortem: What Happened and What Comes Next

Please note this is not a RFC to discuss compensation, or any other part of the exploit beyond how to return the remaining USDC to the rightful owners within the Vault. Other RFC’s will likely be posted to cover the other topics.


2. Context & Motivation:

Given the Vaults are currently paused, users cannot withdraw their assets from these vaults. This RFC is to agree the plan to enable withdrawals in the most safe and efficient way, ensuring users get back the most amount possible without any further losses.

It should be noted that the Lower Risk Vault has already had it’s shares/balances socialised, so the current balances within the summer.fi app and onchain reflect this, but do still include the attacker balances.

The Higher Risk Vault at present does not need to be socialised, because the outstanding shares in the Term Vault are deposited into the Lower Risk Vault and represent the correct socialised loss.


3. Proposal:

This RFC proposes to use a snapshot taking at the ‘Pause’ moment of the Vaults affected, 10:25am UTC, via this transaction.

Because at this point, the attacker still has shares in both Vault, it is proposed (and poll’ed below) to remove the attackers shares from the snapshot.

It is then proposed to use this snapshot to create a merkl proof (either via a custom merkl contract, or via Merkl (if we can agree with them to remove the fee) to enable claims of the USDC.

Technically, Governance will need to unpause the contract, request withdrawals from relevant Arks (origin, Syrup) and then sweep the USDC to the timelock before then transferring it to the relevant merkl contract (if this is the process agreed).


4. Open Questions:

Should the attackers address be removed from any snapshot?
  • Yes, remove the attacker address
  • No, leave their address in
0 voters
Should the snapshot be from the moment the Vaults were paused?
  • Yes, use the proposed snapshot
  • No, I’ll comment my suggestion below
0 voters
Should we use a Merkl proof for distribution?
  • Yes, and we should try and use Merkl.xyz (if no fee)
  • Yes, but it should be custom
  • No, I propose another way in the comments
0 voters

The polls above are set to expire at 11am UTC on Friday to try and rally the DAO around a quick decision on the approach. If no decision has majority alignment, new polls and direction will be discussed. It is my opinion that it should be the aim of the DAO to try and return the remaining capital as soon as possible, while remaining safe.

If the community has any other approach they would like to consider for the returning of the funds, we would encourage you to comment below.


5. Next Steps:

  • Gather community feedback
  • Iterate based on discussion
  • Summer Labs Co will then build the relevant contracts required to complete the process
  • Promote to SIP (with clear, formal specification)

Please note a seperate RFC and proposal will be put forward for re-enabling the other unaffected vaults across Ethereum and the other chains. At the time of writing, all Vaults across the protocol are paused.

Tagging @Recognized_Delegates for you input and voting on the polls.

4 Likes

I support keeping this RFC narrowly focused on one objective: returning the remaining assets to affected users as safely and efficiently as possible. Separating the redemption process from any future discussions around compensation or protocol changes should help the DAO and @Recognized_Delegates reach consensus and move quickly.

My preference (voted in the polls above) is to use the proposed pause snapshot, exclude the attacker’s address from the distribution, and leverage Merkl for claims if a fee-free implementation is possible. The priority should be minimizing operational complexity while enabling users to regain access to their remaining funds as soon as practical.

2 Likes