DeFi options protocol Thetanuts Finance confirmed on June 16 that its old-style vault, which had been abandoned years ago, was attacked, resulting in a loss of $2.1 million. PeckShieldAlert, a blockchain security firm, issued an alert before Thetanuts confirmed the incident and reported that, through the efforts of white-hat hackers, about $2 million in options tokens had been recovered.
Attack details: PeckShieldAlert on-chain data
(Source: PeckShieldAlert)
According to PeckShieldAlert’s on-chain analysis and Blockaid’s confirmation:
Funds recovered: about $2 million in options tokens (via white-hat hacker efforts)
Attacker converted: about $105,000 USDC exchanged for about 60 ETH
Attacker holdings: about $34,000 USDC-denominated options tokens
Independent detection: Blockaid’s vulnerability detection system independently confirmed the attack, issued a community alert, and disclosed the attacker’s address and the exploited contract address
Security researchers’ root cause of the attack
A vulnerability analysis report published by security researcher ExVul on X confirmed that the root cause was a flaw in the vault’s redemption logic. Within a few hours after the attack, Thetanuts Finance stated: “Our preliminary investigation shows that this is a vault we had already abandoned years ago… it has nothing to do with any of our current contracts or products.” The company promised to release a complete post-incident analysis report after collecting more details.
Confirmed abandoned-protocol attack cases: Aztec Connect and cumulative losses in June
Before the Thetanuts incident, Aztec Connect (a privacy bridging project that stopped maintenance in 2023) also lost $2.1 million due to a verification vulnerability in an immutable smart contract; because the team had abandoned all administrator keys, no one could fix or pause the code.
As of the time of the June 16 report, the total losses from DeFi vulnerability attacks in June 2026 had exceeded $46 million, with the month only halfway over.
FAQ
Are Thetanuts’ current products and contracts affected by this attack?
According to Thetanuts’ official statement, what was attacked was an old-style vault abandoned years ago, “which has nothing to do with any of our current contracts or products.” The company also confirmed that its current products and smart contracts are not affected by this vulnerability.
How much funding was ultimately not recoverable from this attack?
Based on PeckShieldAlert’s on-chain analysis, about $2 million was recovered through white-hat hacker efforts; the attacker exchanged about $105,000 USDC for 60 ETH, and held options tokens denominated at about $34,000 USDC. The funds expected to be unrecoverable are about $140,000.
Why do abandoned DeFi contracts still pose security risks?
According to the explanation from the Aztec Connect case, if a contract is designed to be immutable and the development team has abandoned the administrator keys, then no one can fix or pause the code after the attack occurs. Abandoned protocols typically no longer accept security audit updates; if the code can still be called and funds are still held, it continues to face the risk of being attacked.
