Thetanuts $2.1M Flash-Loan Exploit: How a Low-Supply Rounding Bug Let an Attacker Mint Tokens for Free
with ArbitrageScanner!
In June of this year, hackers exploited a bug in Thetanuts Finance’s old contract, stealing $2.1 million from the defunct contract in one transaction. To do this, the hackers were able to obtain a flash loan through another means, pushing the index token supply of the vault to almost zero, and broke the math used to calculate withdrawals in so doing. As a result they were able to value and redeem an excessive amount of options index tokens at no cost to them.
In total, white hats have recovered about $2 million worth of options tokens. The hackers retained a little more than $34,000 in tokens but then exchanged approximately $105,000 for roughly 60 ETH, which cannot be traced today. Although Thetanuts has claimed they migrated away from the old legacy vault hacked, legacy vaults that lack proper accounting and have no liquidity are not edge cases but systemic risks.
The term flash loan exploit is eye-catching when read in the news, but does not present near as great of a threat once you understand how a flash loan exploit works. The Thetanuts hack is exemplary of this; the flaw which caused losses was extremely simple, obvious and did not require an anonymous private key, malicious governance vote, an advanced mathematical computation, but was nothing more than a failure of arithmetic (a division) due to an extremely small value causing an arithmetic anomaly.
This article will examine flash loans, how creating zero supply of a token voids accounting equations, provide step-by-step description of the attack on Thetanuts, and the lesson learned related to holding low-liquidity tokens and/or contracting with obsolete contracts.
What a flash loan actually is
Flash Loan - A flash loan is an unsecured loan that is executed in a singular on-chain transaction. When you borrow a substantial amount of tokens (millions of dollars) and do not provide any collateral, there is just one rule: you must pay back the full value of the tokens (plus a small service charge) by the end of your transaction. If you are unable to pay back the entire amount by this time, then the entire transaction will be treated as if it had never happened, and the lender will never lose anything.
This could be viewed as reckless, but if you are aware of how a blockchain transaction works, it is much less of a risk to the lender. If you borrow funds, and then immediately pay back the funds as part of the same transaction, the lender will have zero risk. You will either pay back the funds, or there will not be any funds to repay.
Flash loans have real value and are used legitimately. For example, if you have $10 worth of tokens and buy them for $8 from venue A and sell them for $10 at venue B, you can borrow the $8, buy the token at venue A and sell it at venue B and make a profit - all in one step, without any capital required.
Flash loans can also be abused, however, and used as a weapon to cause a protocol's internal numbers to have values that the developers of the protocol never anticipated. They need the temporary size to bend a formula. That's what happened to Thetanuts.
Why a near-zero supply breaks the math
Visualize a vault, where the vault has backing assets like USDC and options. The vault will issue index tokens or shares that represent your ownership based on the backing assets in the vault. When you go to redeem your index tokens, the vault will deliver to you an amount of the backing assets based on the number of index tokens you hold.
The formula for determining what you will receive when you redeem an index token is as follows:
payout = backing * amount / totalSupplyWhere:
backing= the total value of the assets the vault ownsamount= number of index tokens being redeemedtotalSupply= total number of index tokens in existence
This formula will work perfectly under normal circumstances. For example, if the vault contains $1,000,000 worth of assets, and there are 1,000,000 total index tokens, if an individual redeems 1 index token, the individual will receive $1. If the individual redeems 100 index tokens, they will receive $100.
The problems begin when (TotalSupply) becomes a very small number. If there are less than 10 total index tokens, the (TotalSupply) is extremely low, which results in an extremely high payout amount using the formula above. When you divide by a very small number, it results in a very big number. In Solidity, dividing integers will create a lot of rounding errors and not support decimals. For example, dividing 7 by 3 results in 2 and not 2.33. If (TotalSupply) is a large number, the rounding errors will be very small; however, if the (TotalSupply) is a low number (less than 10), rounding errors and dividing by a small number will create a very large amount of tokens available to be exploited by the attacker.
This is the key design flaw of Thetanuts. The security experts identified a design flaw in both the accounting side of the index-token mint logic and the mint logic itself. If there is ever a case where the supply is driven low enough for this logic to be considered “unsafe” (i.e., it allows an attacker or malicious user to mint/index tokens at near zero-cost), then the attacker could mint index tokens at near zero-cost and reclaim far more backing than what they paid to mint the index tokens.
The reason a flash loan was needed is that it was only needed to create the low-supply condition, for a very brief period of time during one transaction (and then put everything back so the flash loan could be repaid).
The attack flow, step by step
What happened was conceptual (the specific internal calls changed) however the shape is the most important part. The on-chain transaction has the id: 0xbba9…c39fec
| Step | Action | Effect |
|---|---|---|
| 1 | Take a large flash loan of the relevant token | The attacker now has enough control of the supply of the vault to move the vault’s supply however they wish. |
| 2 | Perform an interaction to withdraw/burn almost all of the index-token supply from the deprecated vault | TotalSupply of index tokens drops to ~0, thus becoming untested and “unsafe” zone. |
| 3 | Take advantage of the broken backing*amount/totalSupply calculations where totalSupply is low | Mint/index tokens at near-zero cost, draining all tokens’ backing. |
| 4 | Take the stolen claim (USDC, option tokens, or some other type of asset) and convert to real assets | At this point, the attacker has “extracted value” from the protocol. |
| 5 | Complete the flash loan within the same transaction | The loan obligation is released, and transaction becomes final/successful. |
| 6 | (After all completed) swap ~$105K USDC into ~60 ETH | Helps to obfuscate the transaction trail between assets. |
The key is that all of steps 1-5 take place in the same atomic transaction. There is no opportunity for the attacker to be “exposed” holding a loan that they cannot repay. The system allows for a binary outcome of either winning all the profits if every step in the attack goes well, or losing only the gas fees incurred if it all reverts — which is the primary reason flash-loan exploits are so desirable and difficult to take away for strictly economic reasons. Essentially, it allows for an attacker to win big with a flash loan from an uncollateralized lending service.
A shortened pseudocode implementation of the attack transaction:
function attack() external {
// 1. Borrow big, no collateral
flashLoan(TOKEN, LARGE_AMOUNT);
}
// Lender calls this back inside the same tx
function onFlashLoan(uint256 borrowed) external {
// 2. Crush the vault's index-token supply toward zero
vault.burnDownSupply(); // totalSupply -> ~tiny
// 3. The formula now misbehaves:
// payout = backing * amount / totalSupply
// With totalSupply ~ tiny, claims round hugely in attacker's favor
vault.mintIndexTokens(cheapAmount); // mint for almost nothing
vault.claimBacking(); // claim backing far above cost
// 4. Convert the loot to assets the attacker keeps
swapToStable();
// 5. Repay flash loan - tx stays valid
repay(TOKEN, borrowed + fee);
}It is important to understand that the processes listed are not hacking in the cryptographic sense. They are all legitimate functions of the contract and the attacker just called them in a specific order (and to depleted the index supply) that the original developers did not account for when they developed the contract they did.
How the funds were partly recovered
Approximately $2M of the ~$2.1M was recovered through a white hat process. Two potential outcomes may arise: A proactive security group can "front-run" an attack and secure assets in a safe address, or a protocol may negotiate for the return of the assets (sometimes paying a bug bounty) after the incident has occurred. The alerts that led to the discovery of the attack were generated by on-chain monitors at security firms -- PeckShield and Blockaid both issued alerts.
What got away was approximately $34,000 in USDC and option tokens and the attacker subsequently converted $105,000 worth of USDC into around 60 ether (ETH). Converting from stable coins like USDC to ETH is a common first step in laundering funds (thus breaking the clean trail of USDC) and offers to convert looted dollars into a more liquid, universally traded asset making it harder to freeze.
So while the media has reported a "$2.1 Million" exploit, the actual "net" amount stolen is considerably less because the thieves were unable to convert most of the value into an unreturnable criminal asset. This is becoming more frequent in 2026 with faster monitoring and increasingly active whitehat groups, which frequently recover a large share of the funds stolen (although seldom do they recover all).
Why "it was a deprecated vault" is the real lesson
The real lesson learned is that "the vault was deprecated". Thetanuts response to the breach was that "the contract was a deprecated vault", that was migrated years ago with "no relation" to current products. From a scientific standpoint, this is accurate and is relevant to the entire story-line.
Smart contracts are immutable. Once a contract is deployed, it will remain on-chain forever unless, of course, that contract has been written to have a self-destruct or suspend function. If a team discontinues the use of their vaults, no longer utilises the vault links on their front-end applications, and moves all their existing liquidities elsewhere, the contract will still exist, and any person can still interact with that contract, as well as all of the value that has accumulated over time in the vault.
The contract can be exploited if any of the following occur:
- No decommissioning. The vault was abandoned in operation, but the contract was never drained, paused, or disabled. Therefore, the functions of the vault still worked.
- Low float (total supply). This is the condition for division-by-totalSupply maths to not work properly. Low-float tokens and legacy vaults will be less secure because they are inherently fragile.
This is why low-supply assets should be subjected to higher degrees of scrutiny. Both as targets for exploit, as well as tradable vehicles. Low float means low-float tokens are easy to manipulate and are more sensitive than other tokens to large order flow in the marketplace.
What this means for traders, not just developers
So what does this mean for traders? You probably won't be auditing Solidity. However, you should apply the principles of the takeaways from the last section on how to evaluate assets and venues.
Consider low-float tokens to be high-risk by their very nature. Low supply results in the potential for manipulated prices/ supplies to occur, as well as slippage and accounting inaccuracies. An actor who has quite a small float of a token can significantly tweak the market when their float is provably small, ie flash loan, whale accounts, or concentrated buying.
It is imperative to look at the actual position of liquidity and supply. A given token may look sound from its primary contracts, however, the legacy contracts can have hidden problems. A trader doesn't have access to source codes, but they can follow the flow of assets on-chain through a number of means: quick movements of assets in an old contract or unusual contract, unusual minting or burning of assets, and the movement of large amounts of tokens in and out of a singular address.
Do not confuse a little reported loss with a little risk. Many white hats recovered the vast majority of the funds lost in just one attack; however, the level of mechanical soundness was very high while the speed at which funds were recovered was pure coincidence. There are many examples of this type of error costing protocols much greater than $1 Billion by 2026.
The analysis and characterization of wallets on-chain in real-time are the only way a trader can transform "I cannot read the contract" into "I have the ability to see the wallet doing something unusual". By profiling the wallets accumulating, dumping, or interacting with a suspicious contract, a trader can make a solid analysis of the liquidity that is flowing in and out of any given contract and then provide context with the greater market movement through the use of Arbitrage Scanner's AI wallet analysis. This includes 272 unique variables of each wallet to identify suspected inside traders, whale accounts, and unusual liquidity flows. A trader can also track a large number of different exchanges/DEXs via a DEX scanner and average their prices against the same holdings and average price movements every second to help protect themselves from unexpected market dislocations. For broader context, an arbitrage screener helps identify pricing discrepancies across venues.
The bigger picture: flash-loan attacks in 2026
The bigger picture may be that Thetanuts is not an isolated example of a flash-loan attack that will cost $1 Billion + in 2026. Repeatedly, this year flash-loan-amplified exploits have had an impact. In January of 2026, Makina Finance was attacked via a flash loan for approximately $280,000,000 to exploit oracle pricing on a Curve pool. In March 2026, an attacker borrowed a substantial amount of size from Venus Protocol to push the protocol's internal state outside its capacity and over-borrow; it was the only way they could successfully complete the exploitation. All together, DeFi exploits that have occurred in 2026 total in the hundreds of millions of dollars, with estimates exceeding $1 billion for the year.
The commonality in these exploits is not one specific code-bug causing these instances, but rather the pattern established by an attacker exploiting low float and low liquidity within a protocol and making adjustments based on prior protocol conditions to extract value from the protocol now that the protocol is in an untested state. This is feasible because of the ease to borrow massive temporary amounts of size at no-cost to perpetuate the boomerang effect of an exploit. It is important to create defenses against these types of exploits; banning flash-loans is not possible and ultimately flash-loans have a place within our overall financial ecosystem; however there cannot be unbelievably high limitations placed on temporary sizes created through the flash-loan process. Furthermore, all code must be held to a higher standard of immutability in terms of written contracts than what was accepted at that moment.
The best way for any other DeFi project to protect itself from structuring code that may expose its users is to learn from others' repeated mistakes of low float, forgotten contracts, and weak wallets.
Frequently asked questions
Can you explain what "Thetanuts flash loan exploit" means in basic terms?
On June 15, 2026, an attacker was able to utilize a flash loan to decrease the total supply of a deprecated Thetanuts vault to nearly zero through one transaction. When the supply of tokens reached that near-zero amount, the redemption formula for the vault's redemption would no longer work due to dividing by such a small number, plus completing the division and converting the resulting decimal number to an integer produced inflated payouts, all of which allowed the attacker to mint and claim index tokens at such a low price that they were able to steal an estimated $2.1 million by using the flash loan.
How can someone use a flash loan to steal without using any of their own money?
A flash loan is issued to a borrower in a single atomic transaction and returns to the lender in the same transaction. Should the borrower not be able to return the loan, the entire atomic transaction is reverted back to the original state and the lender would not have suffered any loss, there is no requirement for collateral. Therefore, the attacker does not need to have any real money, merely the temporary quantity needed to manipulate the circuit inside of a protocol to produce a value that was not calculated for extraction and to pay back the flash loan before the transaction is completed.
How does an abnormally low token supply lead to rounding error?
Vault accounting generally divides by total supply, thus dividing by an abnormally low number leads to a very high return, and since Solidity only accounted for integers (with no decimal) for each division, the result of the division will be rounded to the nearest whole number. When the supply is very high, rounding errors have very little impact on claims or when supply is near-zero, rounding and the divide by small supply creates rounding errors that claimants will take in to account if making a claim against the supply being claimed. This very low supply creates a very dangerous situation for both investors and traders.
How much financial impact did Thetanuts Hack have?
The amount of money lost in Thetanuts' hack was approximately $2.1 million. However, the amount of money that was recovered through whitehat activities to replace along with an additional $2 million in option tokens allows for a net loss of approximately $140,000. The attacker received approximately $34,000 USD in USDC-based option tokens but also converted approximately $105,000 USD worth of USDC into approximately 60 ETH. As such, the amount of unrecovered loss is substantially less than $2.1 million.
Was Thetanuts' Main Protocol Impacted?
According to Thetanuts, their main protocol was not impacted by the hack. The protocol exploited was a deprecated vault which the team states they migrated away from several years ago, and it has no current relationship to their current contracts or products. This incident provides an ongoing reminder that abandoned contracts that continue to exist on blockchains are still in existence and callable unless there is a public freezing or draining of those contracts.
How can a trader protect against a loss from hack-like-the-one-that happened-to-Thetanuts?
No trader can audit every contract. However, by treating all low-float tokens as higher risk and not interacting with contracts in the past or unofficial you can help eliminate the risk associated with those contracts. In order to reduce your risk, monitor the behavior of chains in order to see if there have been any odd mint/burn activity, sudden large movement of liquidity into old contracts, or large one-time transactions in order to identify behaviors that may indicate previous activity that led to a hack.
Try ArbitrageScanner free for a day and gain access to our entire cryptocurrency toolkit, which includes AI-assisted wallet auditing across 272 different parameters as well as DEX auditing across over 40 different blockchains.
This article is provided for educational/information purposes only. We are a group of software developers. We do not provide recommendations nor make any guarantee or promise of how much money you will make or will not make. We do not advise any person to invest their money into any particular investment. All processes that our program operates are manual and all of your funds remain solely in the control of you. The specific actions we provide as examples of past clients' performance in arbitrage were provided solely for comparative purposes and the employees of our program do not provide any advice or guidance regarding any of those actions. Your overall earnings will continue to be based solely upon your own actions as well as the actions of other investors/marketers. Conduct your own research before investing in or otherwise interacting with any smart contract or committing any of your funds to it.
Want to learn more about crypto arbitrage?
Get a subscription and access the best tool on the market for arbitrage on Spot, Futures, CEX, and DEX exchanges.
You might be interested
How to Vet a Crypto Exchange Before You Deposit: A Counterparty and Sanctions-Risk Checklist
WET's 111% Unlock: What Happens When a Token Doubles Its Float Overnight
How to Calculate Your REAL Arbitrage Profit: A Full Cost Breakdown
