1. Summary:
On July 6, 2026, an attacker manipulated the share price of two Lazy Summer Protocol USDC vaults on Ethereum mainnet and extracted approximately $6.04 million of depositor value in a single atomic transaction.
This RFC is to discuss the next steps with a primary focus on how to enable the redemption of the remaining USDC for affected users in the Vaults. As this is a fully decentralised protocol, it is up to the DAO to choose the next course of action.
The total losses amounts are;
- Lower Risk USDC (0x98c…): Total loss: 5,639,356.94 USDC (58.26%)
- Higher Risk USDC (0xe9c…): Total loss: 204,155.85 USDC (42.29%)
This proposal will outline different ways the redemption can be done, with some options that delegates will need to decide upon.
A full post mortem of the exploit is available here: Lazy Summer USDC Vault Exploit Post-Mortem: What Happened and What Comes Next
Please note this is not a RFC to discuss compensation, or any other part of the exploit beyond how to return the remaining USDC to the rightful owners within the Vault. Other RFC’s will likely be posted to cover the other topics.
2. Context & Motivation:
Given the Vaults are currently paused, users cannot withdraw their assets from these vaults. This RFC is to agree the plan to enable withdrawals in the most safe and efficient way, ensuring users get back the most amount possible without any further losses.
It should be noted that the Lower Risk Vault has already had it’s shares/balances socialised, so the current balances within the summer.fi app and onchain reflect this, but do still include the attacker balances.
The Higher Risk Vault at present does not need to be socialised, because the outstanding shares in the Term Vault are deposited into the Lower Risk Vault and represent the correct socialised loss.
3. Proposal:
This RFC proposes to use a snapshot taking at the ‘Pause’ moment of the Vaults affected, 10:25am UTC, via this transaction.
Because at this point, the attacker still has shares in both Vault, it is proposed (and poll’ed below) to remove the attackers shares from the snapshot.
It is then proposed to use this snapshot to create a merkl proof (either via a custom merkl contract, or via Merkl (if we can agree with them to remove the fee) to enable claims of the USDC.
Technically, Governance will need to unpause the contract, request withdrawals from relevant Arks (origin, Syrup) and then sweep the USDC to the timelock before then transferring it to the relevant merkl contract (if this is the process agreed).
4. Open Questions:
- Yes, remove the attacker address
- No, leave their address in
- Yes, use the proposed snapshot
- No, I’ll comment my suggestion below
- Yes, and we should try and use Merkl.xyz (if no fee)
- Yes, but it should be custom
- No, I propose another way in the comments
The polls above are set to expire at 11am UTC on Friday to try and rally the DAO around a quick decision on the approach. If no decision has majority alignment, new polls and direction will be discussed. It is my opinion that it should be the aim of the DAO to try and return the remaining capital as soon as possible, while remaining safe.
If the community has any other approach they would like to consider for the returning of the funds, we would encourage you to comment below.
5. Next Steps:
- Gather community feedback
- Iterate based on discussion
- Summer Labs Co will then build the relevant contracts required to complete the process
- Promote to SIP (with clear, formal specification)
Please note a seperate RFC and proposal will be put forward for re-enabling the other unaffected vaults across Ethereum and the other chains. At the time of writing, all Vaults across the protocol are paused.
Tagging @Recognized_Delegates for you input and voting on the polls.