Old Thetanuts Vault Hit by $2.1 Million DeFi Exploit
An old Thetanuts vault turned out to be vulnerable to a bug in the mint function, allowing $2.1 million to be drained. Here’s how outdated DeFi contracts can still pose risks.
Key Takeaways
- Attackers drained about $2.1 million from an outdated Thetanuts Finance vault.
- Whitehat security researchers managed to recover about $2 million in option tokens.
- The exploit came from an integer division bug in the mint function, which allowed unlimited token minting.
Attackers stole about $2.1 million (€1.8 million) from an outdated vault of Thetanuts Finance in a recent DeFi exploit. Whitehat security researchers managed to recover about $2 million (€1.7 million) in option tokens. The affected vault had already been migrated years ago and is separate from Thetanuts' active products and systems.
Integer division flaw behind the exploit
Blockchain security firms like SlowMist traced the cause to a bug in the contract's mint function. Because of rounding errors in integer division, the deposit formula became zero, which let an attacker mint unlimited tokens for free. This integer division flaw made unlimited token creation possible, leading to the large theft.
Risks of outdated vaults in DeFi
Thetanuts stressed that this is an outdated vault that has not been maintained for years and has nothing to do with current contracts or products. This incident fits into a broader trend where exploits target outdated or legacy code in DeFi protocols. These old contracts often stay active on-chain even after teams stop maintaining them. Similar attacks were previously reported at Aztec Connect and Raydium, where millions were lost.
Why this matters for European crypto users
For European users and investors, this attack highlights the importance of being careful with legacy smart contracts in DeFi. The incident shows that even inactive vaults can still carry risk, which may matter for anyone involved in protocols with a long on-chain history and migrations.
