Thetanuts Finance $2.1M Exploit Reveals Risk of Abandoned Code on Blockchain

Published by James Harris on

Thetanuts Finance $2.1M Exploit Reveals Risk of Abandoned Code on Blockchain — Ethereum

What You Need to Know

  • Thetanuts Finance lost $2.1 million through exploit in deprecated vault holding unmonitored funds.
  • Security firms flagged attack independently; most funds recovered but $105,000 USDC converted to ETH by attacker.
  • Deprecated blockchain contracts remain permanently active with no admin controls or monitoring capabilities.
  • DeFi exploits reached $46 million in June alone, potentially matching or exceeding May’s total losses.

Thetanuts Finance has confirmed a $2.1 million exploit traced to a vault it deprecated years ago, with blockchain security firms PeckShieldAlert and Blockaid both flagging the attack independently before the protocol publicly acknowledged it. Most of the drained funds appear to have been recovered through whitehat efforts, but roughly $105,000 in USDC was swapped by the attacker for approximately 60 ETH, and the exploiter still holds around $34,000 in USDC-denominated option tokens.

The exploit originated in the vault’s redemption logic, according to security researcher ExVul, and Thetanuts was clear that the compromised contract has no connection to its current products. That framing is technically accurate but sidesteps an uncomfortable structural problem: deprecated code does not disappear from the blockchain. It sits there indefinitely, holding whatever funds remain, with no one actively monitoring it and no admin key to pause it if something goes wrong. The Aztec Connect incident, a privacy bridge abandoned since 2023 that lost $2.1 million through a verification flaw in its immutable contracts, makes the same point. In that case the team had renounced all admin keys entirely, leaving the code permanently unmodifiable.

Deprecated is not the same as deactivated. That distinction is costing users money.

The timing matters. According to the source, DeFi exploits in June have already crossed $46 million with the month only half over, a pace that may match or exceed May’s total. That kind of sustained exploit activity tends to pull regulatory attention toward on-chain security standards, particularly in jurisdictions already moving on DeFi oversight. It also signals something about where attacker sophistication currently sits: legacy contracts are softer targets than audited live code, and they are being systematically found. For protocols that have gone through multiple product iterations, any funds still sitting in old contracts represent unacknowledged liability.

Thetanuts has said a full post-mortem is coming once it completes its investigation. The more instructive document, when it arrives, will be a clear accounting of what funds remained in the deprecated vault, how long they had been there, and whether users had been explicitly told to migrate out.

Source: Thetanuts Finance loses $2.1M in exploit targeting abandoned vault (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

News

CFTC Hires Crypto Task Force Veteran as Data Chief While Fighting Prediction Markets in Court

The CFTC is rapidly staffing up with crypto-savvy hires as it battles states in court and drafts its first prediction market rulebook. New Chief Data Innovation Officer Donald Battle brings blockchain forensics and SEC crypto task force experience, signaling Chairman Selig is consolidating technical capacity around vetted insiders rather than building broader coalitions.

News

Kraken Launches US-Regulated Perpetual Futures After CFTC Opens Market

Kraken launches CFTC-regulated perpetual futures for US traders through Kraken Pro, offering the first domestically regulated access to a product that generated over $60 trillion in global volume in 2025. The rollout covers nine major assets including Bitcoin and Ethereum, with infrastructure assembled ahead of regulatory approval enabling immediate full-scale deployment.

News

CFTC Approves First US Bitcoin Perpetual Futures, Ending Offshore Monopoly

The CFTC has authorized Bitcoin perpetual futures for US customers through Kalshi, the first regulated domestic venue offering these contracts—products that generated $90 trillion in volume offshore last year. This regulatory approval mirrors the spot Bitcoin ETF moment, creating a compliant on-ramp for institutional demand that previously had no clean domestic channel.

Exit mobile version