Thetanuts Finance Hit by $2.1M Exploit as Legacy Ethereum Vault Flaw Resurfaces

The decentralized finance (DeFi) sector continues to grapple with vulnerabilities in legacy infrastructure, as options protocol Thetanuts Finance fell victim to a smart contract exploit on Ethereum on June 15. The incident resulted in an initial drain of approximately $2.1 million, primarily in option tokens from a long-abandoned contract. On-chain monitoring quickly picked up suspicious activity involving repeated mint-and-redeem operations on a legacy component. The attack specifically targeted an old “Index Vault” that the protocol had migrated away from years ago. This vault had no connection to Thetanuts Finance’s active product offerings or current smart contracts. The exploit adds to a growing list of security incidents affecting the crypto ecosystem in 2026. Recent breaches have ranged from compromised wallets to cross-chain infrastructure vulnerabilities, reinforcing concerns around operational security and smart contract risk management.

According to on-chain analysis, the exploiter targeted a vulnerable redemption and minting mechanism in the legacy vault (contract address: 0xC2C3AE…86Ac7). The root cause appears to stem from flawed share pricing logic: when the token supply was driven near zero through burning, the redemption formula (backing * amount / totalSupply) allowed inflated payouts. This enabled repeated mint-and-redeem cycles, amplified by flash loans. Key addresses involved include the exploiter (0x30498e…b41e), loot wallet (0xAf3a0F…2299), and the exploit transaction (0xbba9f1…9fec).

PeckShield reported that the attacker extracted roughly $105,000 in USDC, which was later swapped for approximately 60 ETH. They also held additional option tokens valued around $34,000. However, roughly $2 million worth of option tokens were swiftly recovered through white-hat intervention. Security researchers noted that ethical hackers acted quickly to intercept and return the majority of the drained option tokens to the protocol, significantly limiting the net loss.

Thetanuts Finance’s official account confirmed the incident, stating: “Our preliminary investigation indicates that this is once again, a deprecated vault that we have migrated from years ago. It has no relation to any of our current contracts or products. We will release a post-mortem once we get more details.” The latest exploit follows several notable security incidents reported across the industry this year. A series of wallet compromises and cross-chain security breaches have demonstrated how attackers continue to target different layers of crypto infrastructure, from user-facing applications to protocol-level systems. These incidents have further highlighted the importance of proactive security monitoring and rapid incident response across the ecosystem.

Thetanuts Finance is an RFQ-powered on-chain options protocol specializing in structured products, with a focus on altcoin options and yield-generating strategies such as concentrated liquidity deployment and delta hedging. The project has raised significant funding in the past, including an $18 million seed round in 2022 backed by prominent names like Three Arrows Capital, Deribit, QCP Capital, and Jump Crypto, followed by a $17 million Series A in 2023 led by Polychain Capital. It has positioned itself as a leader in on-chain options infrastructure, recently expanding through partnerships like CoinList for incentivized programs. According to CoinMarketCap, as of June 16, 2026, Thetanuts Finance’s native token $NUTS is currently trading at $0.001165 USD, reflecting a 24-hour price change of -0.64%. The token has a market capitalization of $1.22 million, with a 24-hour trading volume of $77.42K. Its fully diluted valuation (FDV) stands at $11.65 million. The token has a total and maximum supply of 10 billion NUTS, while the self-reported circulating supply is approximately 1.05 billion NUTS.

This is not the protocol’s first security incident. Earlier in 2026, a newly deployed vault suffered a first-depositor attack resulting in roughly $50,000 in losses, highlighting ongoing risks in vault mechanics across DeFi. Recent events across the broader crypto sector have shown that security threats are evolving beyond traditional smart contract flaws. From wallet-level compromises to infrastructure-related vulnerabilities, projects are increasingly being challenged to strengthen both code security and operational safeguards to protect user assets.

The incident underscores a persistent challenge in DeFi: legacy contracts that remain on-chain even after migration can become liabilities if not properly deprecated or removed. Security researchers have repeatedly emphasized the need for robust handling of edge cases – particularly near-zero total supply scenarios – in mint, burn, and redeem functions. White-hat interventions, as seen here, continue to play a critical role in mitigating damage, though the practice raises questions about coordination, incentives, and legal gray areas in decentralized ecosystems. Thetanuts has promised a full post-mortem, which the community will likely scrutinize for lessons on audit depth, contract sunsetting procedures, and invariant testing under extreme conditions.

As the broader crypto market navigates regulatory scrutiny and capital efficiency demands, such events serve as timely reminders that infrastructure resilience remains foundational to sustainable DeFi growth.