Deprecated Thetanuts vault drained of $2.1M

Attackers exploited an integer-division bug to mint free tokens and drained about $2.1 million from a deprecated Thetanuts vault; whitehats recovered roughly $2 million.

Attackers drained about $2.1 million from a deprecated vault at Thetanuts Finance after exploiting an integer-division bug in the contract’s mint function. Whitehat defenders recovered roughly $2 million in option tokens following the initial theft.

Blockchain security firms traced the flaw to the vault’s mint function, where integer division caused the deposit calculation to round to zero. That rounding made the contract accept a zero-value deposit, allowing the attacker to mint option tokens without providing funds and rapidly drain the dormant vault.

On-chain analysis shows the exploiter swapped about $105,000 in USDC for roughly 60 ETH and still holds approximately $34,000 in option tokens in the attacker wallet. Security monitors and whitehat participants intervened to reclaim nearly $2 million worth of option tokens after the exploit.

Thetanuts wrote in a statement that the affected vault was deprecated and migrated years ago and is not connected to the protocol’s active contracts or products. The team said it will publish a post-mortem after completing its investigation and coordinating any further recovery steps.

The incident follows a pattern of attacks on legacy on-chain contracts that projects no longer maintain. Recent breaches of deprecated contracts include a $2.1 million drain from an older Aztec Connect contract and a roughly $1.3 million theft from legacy Raydium liquidity pools. In each case, live but unmaintained code remained accessible on-chain and was exploited.

Articles by this author