A deprecated Thetanuts Finance vault was drained for roughly $2.1 million, showing once again that DeFi risk does not always disappear when a product is migrated or retired. Whitehat defenders recovered about $2 million in option tokens, limiting part of the damage, but the incident still exposed a live weakness inside old infrastructure.
Thetanuts said the affected vault had been migrated from years ago and was not connected to its current contracts or products. A post-mortem remains pending, leaving the technical and operational picture incomplete while security firms continue to frame the attack as a legacy-contract failure rather than a breach of the protocol’s active system.
Arithmetic Flaw Turns Dormant Code Into Active Risk
Security firms traced the exploit to a flaw in the vault’s mint function. SlowMist said the issue came from integer division, where rounding caused the deposit formula to evaluate to 0 after the drain, creating a path for the attacker to mint tokens without proper backing.
🚨SlowMist TI Alert🚨
💸 @ThetanutsFi was exploited for approximately $2.1M. However, around $2M worth of positions appear to have been rescued by a whitehat.
🔍 Root Cause: Integer division truncation in `mint(uint256)` — after `claim(uint256)` drained the vault to near-zero… pic.twitter.com/sNT6Mmkhly
— SlowMist (@SlowMist_Team) June 15, 2026
That turned a quiet arithmetic issue into a serious exploit path. Once the faulty calculation was triggered, the attacker could mint tokens for free, effectively creating value from a broken formula inside infrastructure that many users may have assumed was no longer economically relevant.
PeckShield said the exploiter swapped $105,000 in USDC for about 60 ETH and still held roughly $34,000 in option tokens. The partial whitehat recovery softened the financial impact, but it did not remove the larger concern around dormant contracts that can still be called, minted through or drained.
#PeckShieldAlert @ThetanutsFi has been exploited for $2.1M. It seems $2M in option tokens have been whitehatted.
The exploiter has swapped $105K $USDC for ~60 $ETH and holds $34K USDC in option tokens pic.twitter.com/QvyW1ENQFJ
— PeckShieldAlert (@PeckShieldAlert) June 15, 2026
The incident was not driven by a flashy social-engineering campaign or a market manipulation shock. It was a deterministic math failure inside old code, and that is precisely what makes it uncomfortable for DeFi teams that rely on migrations as a form of operational closure.
Migration Does Not Equal Closure
The broader lesson is that deprecated infrastructure can remain part of a protocol’s risk perimeter. If an old vault still holds value or can influence balances, it remains economically active, even if the front end, branding and user attention have moved elsewhere.
Thetanuts is not alone in facing this issue. Recent pressure around other legacy systems has included Aztec Connect, which was drained for about $2.1 million after being deprecated years earlier, and Raydium legacy liquidity pools, which were hit for roughly $1.3 million.
Those cases point to a recurring governance gap in DeFi. In traditional finance, retired systems can be fenced, archived or formally shut down, but on-chain contracts often remain publicly callable unless they were designed with safe shutdown paths from the start.
Thetanuts may be correct that its current products were not affected, but the episode raises the standard for how teams describe and manage old deployments. If a contract can still be exploited, minted through or drained, it is not merely historical infrastructure. It is active risk carrying yesterday’s branding and today’s consequences.