Blockchain security firm PeckShieldAlert, which flagged the incident before Thetanuts confirmed the exploit, reported that it seemed $2 million in option tokens appeared to have been recovered through whitehat efforts. The remaining funds, about $105,000 in USDC, were swapped by the exploiter for approximately 60 ETH, according to PeckShieldAlert’s on-chain analysis. The attacker also holds $34,000 in USDC-denominated option tokens.

Thetanuts claimed the vault was deprecated

A vulnerability in the vault’s redemption logic is the root of the exploit, according to security researcher ExVul, who published a breakdown on X. Thetanuts Finance responded within hours, writing on X, “Our preliminary investigation indicates that this is once again, a deprecated vault that we have migrated from years ago.” The protocol stated, “It has no relation to any of our current contracts or products,” while adding that it would publish a full post-mortem once it gathers more details.

Blockaid’s exploit detection system also picked up the attack independently, issuing a community alert flagging active exploitation of the Thetanuts contract on Ethereum. The security platform also shared the exploiter’s address and the exploited contract’s address as well. The Thetanuts incident adds to a growing list of deprecated protocols that have been attacked recently. The most recent, apart from Thetanuts, is Aztec Connect, a privacy bridge abandoned since 2023.

The protocol lost $2.1 million through a separate verification flaw in its immutable smart contracts, as Cryptopolitan reported. In that case, the team had renounced all admin keys, leaving no one able to patch or pause the code. So far in the month of June, the total value hacked in terms of DeFi exploits has crossed $46 million, and it is only midway into the month.

At this pace, it may rival or exceed May, which saw its own fair share of protocol breaches. Thetanuts has tried to assure its users of its current contracts that they are not at risk; however, the latest events have made it clear to users that abandoned code is not safe code, and so are the funds tied to them.

The post Thetanuts Finance suffers a $2.1 million exploit first appeared on Coinfea.