Deprecated Thetanuts Vault Exploited for $2.1 Million in Latest DeFi Attack

Defi attack: Thetanuts Finance suffered a $2.1 million exploit recently when an attacker targeted one of its deprecated vaults. The incident, which unfolded last Friday, saw a sophisticated manipulation of an oracle price feed, demonstrating the persistent risks associated with unmonitored legacy infrastructure in decentralized finance.

A front running bot complicated the situation further, snatching a significant portion of the stolen funds before the original attacker could fully capitalize. (via DeFiLlama)

Key Highlights

• A total of $2.1 million in digital assets was siphoned from a deprecated Thetanuts Finance vault.
• A sophisticated bot named “jiggly” successfully front ran the primary attacker, netting $1.26 million through rebalancing.
• The original exploiter received the remaining $840,000 from the compromised contract.
• The attack hinged on manipulating the sOHM/OHM Chainlink price feed, which was part of the deprecated vault’s oracle system.
• Thetanuts Finance confirmed the exploit on X, urging users to withdraw funds from any remaining older vaults and promising a full post mortem.

The Mechanics of the Exploit

The detailed attack began with an oracle price manipulation, a common vector for exploits in the DeFi space. The attacker leveraged a flash loan from Aave, borrowing a substantial 10,000 Wrapped Ether to execute their scheme. This large sum allowed for the temporary distortion of the sOHM/OHM Chainlink price feed, which the deprecated Thetanuts vault relied upon for accurate asset valuations.

The misconfigured or perhaps outdated Chainlink oracle provided a window for the exploit. By temporarily skewing this critical price data, the attacker managed to purchase options within the vault at artificially low prices. These options, once acquired, were immediately exercised, converting them into profitable assets before the oracle feed could normalize. This precision operation allowed the attacker to extract significant value from the vault. Thetanuts Finance operates as an options protocol, offering users automated strategies through structured products like covered calls and put selling, aiming to deliver sustainable yields. This particular incident bypassed those protective measures through an external manipulation.

Jiggly the Bot Joins the Fray

Adding a layer of complexity to the exploit was the swift intervention of a front running bot known as “jiggly.” As the original attacker initiated their transaction, jiggly detected the impending profitable opportunity. The bot then executed its own transactions ahead of the primary exploiter’s, effectively rebalancing and securing a substantial portion of the stolen assets.

This bot managed to extract $1.26 million from the compromised vault. The remaining $840,000 ultimately went to the wallet associated with the original exploiter, identified by the address `0xb3…d78`. The incident highlights the high stakes environment of decentralized finance, where automated bots constantly monitor the mempool for profitable opportunities, often at the expense of other actors.

Deprecated Infrastructure and Thetanuts’ Response

The root cause of this vulnerability lay in the vault’s deprecated status. Thetanuts Finance had launched its v3 protocol on Arbitrum approximately three weeks prior to the exploit. This upgrade rendered older vaults, like the one targeted, obsolete. Unfortunately, the deprecated infrastructure lacked the active monitoring and security oversight of the live v3 system.

The protocol acknowledged the incident on X, confirming that the exploited vault was indeed deprecated. The Thetanuts team immediately prioritized contacting affected users, cautioning them about funds still held in similar outdated contracts. They also committed to providing a full post mortem, offering detailed insights into the attack vector and preventive measures from here. Ensuring continuous security for all smart contracts, even those no longer actively used, remains a critical challenge for the entire Web3 community. The situation confirms why protocols must manage their entire lifecycle with vigilance. For ongoing security insights across the decentralized sector, readers can refer to the TCB DEFI PULSE.

A Pattern of Past Incidents

This is not Thetanuts Finance’s first encounter with a security breach. The protocol previously suffered a $1.6 million exploit in 2022. That incident stemmed from a different vector, specifically a bug within one of its smart contracts. Interestingly, the 2022 exploit saw a partial recovery of the stolen funds, suggesting varying outcomes in the aftermath of such events.

While the previous exploit was due to an internal contract flaw and this recent one to an external oracle manipulation of a deprecated asset, both highlight the ongoing security challenges facing DeFi protocols. Each incident is a reminder that even established projects can fall victim to sophisticated attacks if every aspect of their infrastructure is not rigorously secured and maintained.

Frequently Asked Questions

The TCB View

Our read: This $2.1 million exploit isn’t just about Thetanuts Finance; it’s a signal of the systemic risk posed by forgotten or unmonitored deprecated infrastructure across the DeFi market. The critical vulnerability wasn’t a flaw in their active v3 protocol, but rather in a legacy system left open. Many protocols, in their rush to innovate, may neglect the meticulous decommissioning of older contracts, creating silent back doors for attackers. The risk here is clear: security audits often focus on active code, leaving abandoned contracts as easy targets. The opportunity lies in developing industry best practices for the secure deprecation and retirement of smart contracts, ensuring complete audits extend to all code, whether live or legacy. The signal to track: The detailed post mortem from Thetanuts Finance, specifically outlining their plans to identify and secure all remaining deprecated contracts.