An attacker stole about $105,000 from Thetanuts Finance, an options vault protocol, on Ethereum. They abused how the protocol's index vault tracked shares: by taking a flash loan and calling the vault's mint function 37 times, they inflated their balance in the underlying put-option vaults without ever depositing the matching USDC. They then redeemed the fake Bitcoin and Ether vault shares for about $105,000 of real USDC and repaid the flash loan. There is no tradeable NUTS governance token, so token holders were not affected; the loss came out of vault deposits.
Bitcoin and Ether put vaultsdrained(about $105,000 USDC drained)
AVAX, BNB and MATIC put vaultspartially affected(shares inflated and taken, but left unredeemed because the vaults were illiquid)
What the score saw
We had not published a live score for Thetanuts Finance. The weakness here is a kind we track closely though: a vault that mints shares through an internal accounting hook without checking that real funds back them. When a deposit can be credited for free and then redeemed for real money, a single flash loan turns it into a drain.
Exploit anatomy
The attacker deployed an exploit contract that flash-borrowed index tokens, then called mint 37 times on the Thetanuts index vault. Each mint credited shares in the underlying Bitcoin put vault and Ether put vault with no USDC behind them. The attacker then redeemed those shares for about $105,000 USDC and repaid the flash loan.
Illiquid AVAX, BNB, MATIC shares stolen but unredeemed
those sub-vaults had no liquidity to cash out, so only the BTC and ETH shares were realized
missing control
Untouched
Safe. The exploit hit the index and cash-secured-put vault accounting. There is no tradeable NUTS governance token at risk.
Mechanism
Each index mint ran a zero-value transferFrom hook that credited cash-secured-put vault shares with no USDC deposit. An Aave flash loan amplified it across 37 mints, then the inflated BTC and ETH shares were redeemed for real USDC. Not a price oracle bug, a share-accounting flaw.
The contract called mint on the index vault 37 times. Each mint ran a zero-value transferFrom on all five underlying put vaults, an accounting hook that credited the attacker shares without moving any tokens.
The attacker repaid the Aave flash loan and kept about 105,471 USDC. The AVAX, BNB and MATIC put vault shares were also inflated and taken, but left unredeemed because those vaults were illiquid.
Thetanuts' TN-IDX-USDC-PUT index vault sits on top of five cash-secured-put sub-vaults (BTC, ETH, AVAX, BNB, MATIC). The index vault's mint path updates the caller's position in each sub-vault through an accounting hook implemented as a zero-value transferFrom on each sub-vault. Because that hook credited share accounting while moving no tokens, repeatedly calling mint inflated the caller's sub-vault share balances with no matching USDC deposit. The attacker flash-borrowed index tokens from Aave, looped mint 37 times to inflate their Bitcoin and Ether sub-vault shares, redeemed those shares for about 105,471 USDC, and repaid the flash loan. The fix is to back every credited share with a real deposit and reconcile shares against collateral.
Prevention analysis
Similar incidents
ERC4626 share-inflation class
Vaults that credit or price shares without verifying the underlying deposit are repeatedly drained, often with a flash loan to amplify. Same root cause: share accounting decoupled from real collateral.
Flash-loan vault manipulation (2023 to 2025)
Multiple vault hacks used a flash loan to inflate an internal balance, then redeemed it for real assets in the same transaction. Same shape as this exploit.
Remediation
1.Back every share credited through the index vault with a real, transferred deposit; never credit shares on a zero-value transfer.
2.Reconcile each sub-vault's total shares against its actual collateral on every mint and withdraw, and revert if they diverge.
3.Add a same-block or flash-loan guard so a position cannot be minted and redeemed within one transaction.
4.Pause the index and cash-secured-put vaults, account for the stolen shares, and make depositors whole before re-enabling.
Timeline
2026-06-15Attacker deploys an exploit contract and flash-borrows index vault tokens from Aave.
2026-06-15The contract calls mint 37 times, inflating its share balance across five put vaults with no USDC deposited.
2026-06-15The attacker redeems the inflated Bitcoin and Ether vault shares for 105,471.50 USDC, repays the flash loan, and keeps the profit.
