On June 15 2026, Thetanuts Finance, a decentralized options protocol, confirmed that a legacy vault on the Ethereum network was exploited, resulting in a loss of approximately $2.1 million. The vault had been retired years earlier and was no longer used in the protocol’s current operations.

The first alert came from PeckShieldAlert, a blockchain security firm that monitors on‑chain activity. PeckShield reported that the attacker was able to drain about $2 million worth of option tokens from the vault. White‑hat security researchers then intervened and recovered roughly $2 million of those tokens before the attacker could liquidate them.

Despite the recovery, the attacker still moved about $105,000 of USDC into roughly 60 ETH through decentralized exchanges and retained about $34,000 of USDC‑denominated option tokens in their primary address. The total value lost was therefore about $2.1 million.

A technical analysis released by security analyst ExVul traced the exploit to a flaw in the vault’s redemption logic. The logic that governs how users withdraw assets had a mathematical error that allowed the attacker to trigger a redemption without the required collateral checks. The flaw was present in the old contract code, which had not been updated when the vault was decommissioned.

Thetanuts Finance issued a statement on X (formerly Twitter) stating that the incident was isolated to the deprecated vault and that it had no impact on the protocol’s active contracts. The statement also said that the team would publish a forensic report once the investigation was complete.

Blockaid, another monitoring platform, independently identified the malicious transactions and broadcast the attacker’s wallet address along with the target contract address to the developer community.

The incident highlights a broader issue in the DeFi ecosystem: contracts that are no longer in use remain on the blockchain and can still hold funds. Even after a protocol migrates to new contracts, the old code stays immutable and can be exploited if it contains vulnerabilities.

A similar problem was seen earlier in June when Aztec Connect, a privacy‑focused bridge that had been shut down in 2023, was exploited for about $2.1 million. In both cases, the attackers targeted legacy contracts that had not been patched.

According to data from blockchain monitoring services, cumulative losses from DeFi hacks in June 2026 exceeded $46 million, a figure that could surpass the losses recorded in May. The trend raises concerns for institutional investors who are cautious about security risks.

Industry experts argue that protocols need to adopt proactive sunsetting strategies. Recommendations include adding self‑destruct functions, emergency pause mechanisms, and automated migration vaults to the initial contract design. Continuous monitoring of deprecated contracts is also advised to detect unusual activity before a large drain occurs.

Thetanuts Finance’s recovery effort, which salvaged most of the option tokens, demonstrates the role of white‑hat actors in mitigating losses. However, the remaining funds that were converted to ETH and the retained option tokens illustrate the precision with which attackers can move assets through decentralized venues.

The protocol has not yet released a detailed forensic report, but it has confirmed that all active investor capital remains safe. The incident serves as a reminder that legacy code can be a persistent security liability in the immutable environment of Ethereum.

The broader DeFi community is watching closely to see whether new best‑practice guidelines will be adopted to prevent similar incidents in the future.