Svmuu News: Summer.fi has released an analysis report on the Lazy Summer Protocol USDC vault attack. On July 6, an attacker manipulated the share prices of two USDC vaults in a single atomic transaction, draining approximately $6.04 million in depositor funds. The report states that the attack exploited the method used to calculate the vault’s net asset value (NAV).
The attacker donated tokens—which still retained their old valuation—to a Silo Ark that had been suspended following an incident in November 2025 but had not yet been fully removed, causing the vault’s total assets to be inflated by approximately 9.5%. which inflated the share price. The attacker then redeemed shares at the inflated price and withdrew funds from the vault’s actual liquidity. The report emphasized that the attack was not caused by a vulnerability in the smart contract code, but rather by a gap in the vault’s decommissioning process; although the deposit limit for this Ark had been set to zero, its concentrated active assets were still being included in the NAV calculation.