Key Highlights
- Thetanuts Finance lost about $2.1M, with attackers targeting its index-token system using a flash-loan-based flaw in token math.
- Around $2M in option tokens were recovered through a whitehat process, but the attacker still kept about $105K swapped into ETH and $34K in tokens.
- The exploit was caused by a low-supply accounting error in smart contract calculations.
Thetanuts Finance, a decentralized options platform, suffered an exploit that drained about $2.1 million from its system, according to alerts from PeckShieldAlert and Blockaid.
The incident was first detected after unusual contract activity was detected on-chain, showing funds leaving the protocol’s option token system in real time.
In an X post on Monday, PeckShieldAlerted stated, “ThetanutsFi has been exploited for $2.1M. It seems $2M in option tokens have been whitehatted.”
In the same window, the attacker interacted with the protocol’s index-token contract and managed to extract value before defenders reacted.
Blockaid also confirmed the incident while it was still unfolding. The exploit transaction was identified as 0xbba9….c39fec, and it pointed to the index-token system inside Thetanuts Finance. This system is responsible for handling minting and claiming of option-related tokens, which makes it a key part of the protocol.
What made this attack possible was a problem in the way the contract handled token math. Blockaid explained it as a low-supply accounting flaw in the index-token mint and claim logic, based on a formula using backing, token amount, and total supply.
In simple terms, the system becomes unsafe when supply numbers get too low, because the math can start to behave incorrectly.
How the attack happened
The attacker reportedly used a flash loan to take advantage of this weakness. A flash loan is money borrowed and returned in the same blockchain transaction. In this case, the attacker used it to push the token supply extremely low for a short moment.
This triggered a rounding error inside the system, due to which the attacker was able to mint tokens at almost zero cost. Once those tokens were created, they were quickly used to extract real value from the protocol.
After the exploit, the attacker quickly moved the funds. Around $105,000 USDC was swapped into roughly 60 ETH, likely to break traceability across liquidity pools. However, the situation did not fully result in a clean exit for the attacker.
Partial recovery through whitehat
PeckShieldAlert confirmed that approximately $2M worth of option tokens were recovered through a whitehat process. However, the attacker still managed to keep about $34,000 in USDC-based option tokens, which were not recovered.
Blockaid also confirmed the exploit path step-by-step, from contract interaction to fund movement, indicating a fast-moving attack chain typical of flash-loan-driven exploits.
Meanwhile, Thetanuts Finance has responded to the situation, stating that the affected contract appears to be tied to a deprecated vault that was migrated away from years ago, and that it is not connected to any of its current active products or contracts.
2026’s exploit problem continues
This incident adds to the recorded number of exploits across DeFi this year. Many attacks this year have not broken blockchains directly, but instead found mistakes in smart contract math and logic.
These exploits have totalled about $328 million so far as of mid-May. The largest was the $292 million theft on KelpDAO LayerZero, which happened on April 18, followed by the $285M Drift Protocol exploit on April 1.
There have also been smaller incidents like this $10.8 million exploit on THORChain, and 11.58 million on Verus Protocol.
Also Read: Humanity Protocol $36M Hack: Phishing Email, DPRK Links Revealed
