Skip to main content
5 min read

Thetanuts Finance Exploit: $2.1M
Option Token Drain Mostly Recovered by White Hat

$2.1M in option tokens was drained from Thetanuts Finance; a white hat recovered $2M while the attacker converted about $105K into USDC and 60 ETH.

AUTOSEC.DEVAUTOSEC.DEV
Thetanuts Finance Exploit: $2.1M Option Token Drain Mostly Recovered by White Hat
  • Incident Date: June 15, 2026
  • Target: Thetanuts Finance
  • Target Overview: Thetanuts Finance is a multichain DeFi protocol focused on options vaults and structured yield products. DefiLlama listed the protocol with roughly $20.8 million in TVL when reviewed after the incident.
  • Total Loss: ~$2.1 million gross affected value, with approximately $2.0 million reportedly recovered by a white hat
  • Reported Remaining Attacker Gain: About $105,000 was converted into USDC and then swapped for 60 ETH; the attacker reportedly still held about $34,000 in option tokens.
  • Attack Vector: Smart-contract logic flaw / option-token accounting or settlement-path abuse / root cause not yet publicly confirmed

Incident Review & Technical Details

1. Attack Path

  1. The Exploit Targeted Option Tokens: Public reporting attributed to PeckShieldAlert said Thetanuts Finance suffered an exploit involving approximately $2.1 million in option tokens. The reviewed sources did not identify a private-key compromise, front-end compromise, or oracle manipulation path.
  2. A White Hat Recovered Most of the Gross Drain: News coverage reported that a white hat recovered roughly $2.0 million of the affected value. That makes the incident materially different from a simple final-loss calculation: the gross impacted amount was about $2.1 million, while the publicly reported attacker-retained value was much smaller.
  3. The Attacker Converted a Smaller Portion: According to the same public reporting, the attacker converted approximately $105,000 into USDC and then swapped those funds for 60 ETH.
  4. Residual Option Tokens Remained in the Attacker's Control: Reports also said the attacker still held about $34,000 in option tokens after the initial conversion activity.
  5. Root Cause Remains Publicly Unresolved: The available sources did not provide the vulnerable function, affected contract address, transaction hash, option-token series, or exact accounting invariant that failed. Until a final postmortem is available, the safest classification is a suspected smart-contract logic flaw affecting option-token accounting, redemption, or settlement behavior.

2. Impact Scope

  • Protocol-Level Loss: Public reporting placed the gross affected value at approximately $2.1 million in option tokens.
  • Recovered Value: Approximately $2.0 million was reportedly recovered by a white hat, reducing the likely unrecovered exposure.
  • Attacker-Retained Value: About $105,000 was reportedly converted into USDC and then into 60 ETH, with about $34,000 in option tokens still held by the attacker.
  • Affected Asset Class: The affected assets were described as Thetanuts Finance option tokens. The reviewed sources did not specify the exact vault, expiry, strike, or token contract set.
  • Affected Network: The public summaries did not identify the affected chain in the retrieved text. Because Thetanuts Finance is multichain, the exact deployment and contract set should be confirmed from transaction records before assigning chain-specific blame.
  • Disclosure Gap: The reviewed sources did not include a project postmortem, affected contract addresses, exploit transactions, final recovery transaction, patch details, or user-compensation process.

3. Official Statements

  • PeckShieldAlert: Public coverage cited PeckShieldAlert as the source of the alert that Thetanuts Finance suffered an approximately $2.1 million exploit, with most funds recovered by a white hat and a smaller portion swapped into 60 ETH.
  • Thetanuts Finance: No official Thetanuts Finance statement or final postmortem was identified in the reviewed sources at the time of writing.
  • News Coverage: MEXC, republishing BitcoinWorld coverage, reported the same headline figures: $2.1 million in gross affected option tokens, $2.0 million recovered by a white hat, about $105,000 converted into USDC and 60 ETH, and roughly $34,000 in option tokens still held by the attacker.

4. Investigation Progress

The key technical question is whether the exploit abused option-token minting, redemption, settlement, vault-share accounting, pricing assumptions, or transfer authorization. Option vault systems often combine ERC-20-like token balances with time-bound expiry, collateral accounting, settlement rules, and vault share conversion. A mismatch in any of those boundaries can turn a token-level accounting bug into a protocol-level drain.

Recommended response steps for Thetanuts-style option vault systems:

  • Publish the affected chain, vault, option token contracts, exploit transactions, white-hat recovery transactions, and current unrecovered balances.
  • Reconstruct the exploit on a fork and convert the failing path into regression tests.
  • Review option-token mint, burn, redemption, settlement, expiry, collateral-release, and vault-share conversion invariants.
  • Confirm whether the same option-token accounting assumptions exist across other chains, vaults, expiries, or structured yield products.
  • Add monitoring for abnormal option-token minting, redemption, expiry settlement, collateral withdrawal, and rapid USDC or ETH conversion after vault events.
  • Clarify whether recovered funds are already back under protocol control and whether any users need reimbursement or manual settlement.

AUTOSEC.DEV Solution

The Thetanuts Finance incident shows why DeFi option vaults need contract-level invariant testing around token accounting, settlement, and recovery paths, not only standard ERC-20 transfer checks.

  1. Secure Code Review - The reported Thetanuts Finance drain involved option tokens and an unresolved smart-contract failure mode. AUTOSEC.DEV reviews DeFi vault logic, option-token mint and burn boundaries, settlement paths, collateral accounting, share conversion, and cross-vault invariants to catch value-moving logic gaps before deployment.
  2. Penetration Testing - The attacker reportedly converted a smaller portion of the affected value into USDC and 60 ETH after the option-token drain. We reproduce adversarial workflows on forks, including abnormal redemption, expiry settlement, token accounting drift, and post-drain swap routes, so teams can validate controls under realistic attacker behavior.
  3. Incident Response - Because a white hat reportedly recovered about $2.0 million, the next risk is evidence handling, fund-control verification, and clean user remediation. AUTOSEC.DEV supports exploit reconstruction, recovered-fund validation, fund-flow tracing, exchange coordination, disclosure support, and regression-test design after DeFi incidents.

Reference