Structured products protocol Thetanuts Finance suffered an exploit on June 15, 2026, resulting in a loss of approximately $2.1 million, according to blockchain security firm PeckShield. The attack targeted a deprecated legacy vault that had been migrated years ago, and swift intervention by white hat hackers enabled the recovery of nearly $2 million in option tokens.
PeckShieldAlert first flagged the incident on social media, noting that the exploiter had swapped $105,000 in USDC for roughly 60 ETH and still held $34,000 in USDC-denominated option tokens. The white hat address managed to secure $2 million worth of option tokens, substantially limiting the damage.
Thetanuts Finance confirmed the exploit within hours, stating, “Our preliminary investigation indicates that this is once again, a deprecated vault that we have migrated from years ago. It has no relation to any of our current contracts or products.” The protocol promised a full post-mortem. Security researcher ExVul attributed the breach to a vulnerability in the vault’s redemption logic, while Blockaid’s detection system independently issued an alert with the exploiter’s and contract’s addresses.
The incident adds to a growing series of attacks on deprecated protocols. Earlier in June, Aztec Connect, an abandoned privacy bridge, lost $2.1 million due to a verification flaw in immutable smart contracts. So far in June, total DeFi exploit losses have exceeded $46 million, and the pace may rival or surpass May’s figures. The Thetanuts case underscores that abandoned code can remain a significant risk for residual funds.
