Thetanuts Hit By $2.1M Legacy Vault Exploit As Whitehat Secures Most Funds

Thetanuts Finance was hit by a roughly $2.1 million exploit on Ethereum after an attacker abused a legacy vault accounting flaw, while around $2 million in positions appear to have been secured by a whitehat.

The attack centered on an old Thetanuts vault contract rather than the protocol’s current live products. Thetanuts said the affected vault was deprecated years ago and had no relation to its current contracts or products, with a full post-mortem still expected after the team completes its investigation.

The exploit transaction was followed by a separate whitehat rescue transaction, which Etherscan labels through ThetanutsFi whitehat addresses. The whitehat action appears to have protected a large portion of the exposed option-token positions before the exploit could expand further.

PeckShield placed the total incident size near $2.1 million and said about $2 million in option tokens appeared to have been whitehatted. The exploiter swapped about $105,000 in USDC for roughly 60 ETH and still held around $34,000 in USDC-denominated option tokens after the initial attack flow.

Rounding Bug Let The Attacker Mint Almost For Free

The exploit path involved a math edge case in the vault’s minting and claiming logic. After claim(uint256) drained the vault toward a near-zero total supply, the mint(uint256) calculation rounded down in a way that allowed the required deposit amount to evaluate to zero.

The vulnerable logic followed a formula similar to depositAmount = vault.balance * amount / totalSupply. When total supply was pushed into an extreme low-supply state, integer division truncation turned the deposit requirement into zero for certain inputs. That opened a path for repeated free or near-free minting, letting the attacker create claims against vault value without putting in the required backing.

This was not a private-key compromise or a normal token approval drain. It was a contract-accounting failure, where a small rounding behavior became dangerous because the attacker could manipulate supply conditions first, then mint against broken math.

The pattern is similar to other DeFi failures where low liquidity, low supply or edge-case accounting turns a normal formula into an attack surface. CryptoAdventure’s recent Aztec Connect exploit story raised a related issue: deprecated or legacy contracts can still hold real value, even when teams have moved active products elsewhere.

Deprecated Contracts Still Carry Real Risk

Thetanuts’ current contracts may not be connected to the affected vault, but the incident shows why old deployed code remains a live risk on Ethereum. Smart contracts do not disappear when a protocol migrates away from them. If value, approvals, option tokens or claim paths remain attached to old contracts, attackers can still search them for exploitable edge cases.

That risk is especially sharp in structured-product protocols. Options vaults, index tokens and LP-style accounting often rely on supply, backing, settlement and redemption math. A rounding issue that looks minor under normal conditions can become severe when an attacker uses flash liquidity or repeated calls to force the system into an abnormal state.