Skip to content
Est. MMXXVIVol. VI · № 289RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 289Smart Contract Bug

Thetanuts Finance Deprecated Vault Exploit

An integer-division rounding bug in a long-deprecated Thetanuts Finance vault let an attacker mint option tokens for free and drain about $2.1M on Ethereum; white-hats clawed back roughly $2M.

Date
Victim
Thetanuts Finance
Chain(s)
Ethereum
Status
Partially Recovered

On June 15, 2026, Thetanuts Finance lost approximately $2.1 million when an attacker exploited an integer-division rounding flaw in a long-deprecated options vault on Ethereum. The bug let the attacker mint vault option tokens essentially for free and redeem them against the vault's remaining collateral. Thetanuts stressed that the affected vault had been migrated away from years earlier and has no connection to its active products or current systems.

What happened

Security firms SlowMist, PeckShield and Blockaid traced the root cause to the contract's mint function: because of rounding during integer division, the deposit formula could evaluate to 0, allowing tokens to be minted without paying for them. Compounding deposits then enabled effectively unlimited token creation, which the attacker used to drain the deprecated vault's balance. The legacy contract had been deprecated long before the incident, but it remained live on-chain — leaving a small, forgotten attack surface that an opportunist eventually found.

Aftermath

White-hat defenders recovered roughly $2 million worth of the option tokens through a counter-exploit/recovery process, leaving a comparatively small net loss. PeckShield reported that the attacker swapped about $105,000 in USDC for roughly 60 ETH and retained an estimated $34,000 in USDC-based option tokens that were not recovered. Because most of the value was returned, the incident is classified here as partially-recovered.

Why it matters

Thetanuts is a textbook case of two recurring catalogue themes. First, deprecated-but-still-live contracts are real attack surface — the same lesson as the 1inch resolver legacy Fusion v1 bug, the Aevo legacy contract drain and the Yearn iEarn exploit; sunsetting a product is not the same as removing its code from the chain. Second, it shows how rounding and integer-division edge cases in mint/deposit math remain a quietly dangerous class of bug. The relatively happy ending — most funds returned via white-hat recovery — also mirrors the now-dominant outcome for sub-$10M exploits where the stolen funds stay identifiable on-chain.

Sources & on-chain evidence

  1. [01]cryptopolitan.comhttps://www.cryptopolitan.com/hack-deprecated-thetanuts-vault/
  2. [02]finance.yahoo.comhttps://finance.yahoo.com/markets/crypto/articles/deprecated-thetanuts-vault-exploited-2-042138909.html
  3. [03]cryptonews.nethttps://cryptonews.net/news/security/33013753/
  4. [04]crypto-economy.comhttps://crypto-economy.com/thetanutsfi-suffers-2-1-million-exploit-white-hat-recovers-most-funds/

Related filings