The protocol had a vault that was missing key checks, allowing an attacker to front-run the first user to deposit on a new vault and cause their received shares to be zero for a non-zero amount, while the attacker had 1 share. The attacker could then use this 1 share to withdraw all funds from the vault, including those of the other user.
The Protocol quickly confirmed and fixed the issue.