Deprecated Thetanuts Vault Exploited for $2.1 Million
Thetanuts Deprecated Vault Exploited for $2.1 Million – Legacy DeFi Contract Exposes Ongoing Security Risks
Key Takeaways
- Attackers drained approximately $2.1 million from a deprecated Thetanuts Finance vault.
- The vulnerability stemmed from an integer division flaw in the vault’s mint function.
- Whitehat actors recovered about $2 million in option tokens.
- Thetanuts stated the affected vault is unrelated to its current contracts and products.
- Security firms also linked the incident to a broader pattern of attacks on legacy DeFi contracts.
Attack Targets Deprecated Thetanuts Vault
Attackers exploited an outdated vault belonging to Thetanuts Finance and drained roughly $2.1 million in assets. The incident was flagged by blockchain security firms on X, formerly known as Twitter, which began tracing the transaction flow shortly after the exploit occurred.
According to Thetanuts, the compromised vault had already been deprecated and migrated from several years ago. The team stated that the affected contract has no connection to its active products or current systems. The protocol said it is conducting a preliminary investigation and plans to release a post mortem once further details are available.
The exploit did not involve the platform’s present contracts, but it highlights how older smart contracts can remain accessible on chain even after projects move on to updated versions.
Integer Division Flaw Enabled Free Token Minting
Security firm SlowMist traced the root cause of the breach to an integer division flaw in the vault’s mint function. According to its findings, the deposit formula evaluated to zero due to rounding during integer division. As a result, an attacker was able to mint tokens without providing the expected underlying value.
This flaw effectively allowed unlimited token creation under certain conditions. Once the attacker generated the tokens, funds were drained from the vault.
PeckShield reported that approximately $105,000 in USDC was swapped for around 60 ETH. The exploiter’s wallet still holds roughly $34,000 in option tokens. At the same time, whitehat defenders were able to secure about $2 million in option tokens, limiting the overall financial impact.
The combination of an arithmetic error and an outdated contract created the conditions for the exploit. The rounding issue in the mint calculation was central to the attacker’s ability to extract value.
Protocol Response and Ongoing Investigation
Thetanuts addressed the incident publicly, emphasizing that the exploited vault was deprecated and migrated years ago. The team stated that the vault has no relation to any current contracts or products.
The protocol confirmed that it is continuing its investigation and will publish a detailed post mortem once more information becomes available. At this stage, the known technical cause centers on the integer division rounding issue identified by SlowMist.
No additional impact on active vaults or current user products has been reported in the statements referenced. The focus remains on understanding how the deprecated contract remained vulnerable and accessible.
Pattern of Exploits in Dormant or Legacy Contracts
The Thetanuts incident fits into a broader pattern of attacks targeting dormant or legacy code in decentralized finance. Old smart contracts often remain deployed on chain even after development teams stop maintaining them or migrate users to new systems.
Recent examples cited by security observers include an exploit of Aztec Connect, which had been deprecated three years earlier. In that case, attackers drained approximately $2.1 million. Another breach affected Raydium legacy liquidity pools, resulting in losses of about $1.3 million.
In each of these cases, the affected components were no longer part of the active product offering but still existed on chain. Because smart contracts are immutable once deployed, they can continue to function unless explicitly disabled or otherwise restricted. This technical characteristic can create residual risk if vulnerabilities remain undiscovered.
For users interacting with decentralized protocols, the distinction between active and deprecated contracts becomes important. Even when a project migrates to newer infrastructure, older contracts may still process transactions if they are not fully shut down.
Implications for DeFi Users and Platform Evaluations
For users evaluating DeFi protocols, including those that integrate crypto products into broader financial or gaming ecosystems, this incident underscores the need to verify which contracts are officially supported and maintained. Deprecated vaults may not receive ongoing security updates or monitoring.
Security firms played a central role in identifying the exploit mechanics and tracing fund movements. Their disclosures provided insight into how the rounding error enabled token minting and how funds were swapped after the breach.
The recovery of approximately $2 million in option tokens by whitehat actors reduced the net impact of the attack. However, the incident demonstrates that even non active components can present financial exposure if vulnerabilities are discovered and exploited.
Our Assessment
Thetanuts Finance experienced a $2.1 million exploit affecting a deprecated vault, with the root cause identified as an integer division flaw in the mint function. Whitehat actors recovered about $2 million in option tokens, while the exploiter swapped part of the funds into ETH and retains a smaller balance in option tokens. The protocol stated that the affected vault is unrelated to its current products. The case aligns with other recent incidents involving legacy DeFi contracts that remained live on chain after being deprecated.
