Thetanuts Finance, the DeFi options protocol, has confirmed that it suffered an exploit that drained $2.1 million from an existing vault linked to it.
According to Thetanuts, the compromised contract had been out of date for years.
Blockchain security company PeckShield Alertwho reported the incident before Thetanuts confirmed the exploit, reported that it appeared that $2 million in option tokens appeared to have been recovered through Whitehat’s efforts.
The remaining funds, approximately $105,000 $USDCwere exchanged by the exploiter for around 60 ETH, according to PeckShieldAlert’s on-chain analysis. The attacker also holds $34,000 in $USDC-labeled options tokens.
What led to the exploitation of Thetanuts Finance’s legacy vault?
A vulnerability in the vault’s redemption logic is the cause of the exploit, according to ExVul security researcherwho published an analysis on X.
Thetanuts Finance responded within hours, write on“Our preliminary investigation indicates that this is once again an outdated vault that we migrated from years ago.”
The protocol stated, “This is unrelated to any of our current contracts or products,” while adding that it would release a full post-mortem once it had gathered more details.
Blockaid’s exploit detection system Also took up the attack independently, issuing a community alert reporting active exploitation of the Thetanuts contract on Ethereum. The security platform also shared the address of the exploiter as well as the address of the exploited contract.
Are outdated protocols under attack?
The Thetanuts incident adds to a growing list of outdated protocols that have recently been attacked.
The most recent, apart from Thétanoutes, is Aztec connectionan abandoned privacy bridge since 2023, which lost $2.1 million due to a separate verification flaw in its immutable smart contracts, as reported by Cryptopolitan. In this case, the team had given up all admin keys, leaving no one able to fix or suspend the code.
So far in the month of June, the total value hacked in terms of DeFi exploits has exceeded $46 million, and it’s only halfway through the month. At this rate, it could rival or surpass May, which saw its share of protocol violations.
Thetanuts has attempted to assure its users of its current contracts that they are not at risk; However, the latest events have clearly shown users that the abandoned code is not safe code, just like the funds tied to it.