Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
A newly deployed vault contract of Thetanuts Finance was exploited via a First Depositor Attack. The attacker took advantage of the vault’s share calculation logic when totalAssets and totalSupply were both 0 at initialization: they deposited a minimal amount (e.g., 1 wei) to mint 1 share, then directly transferred a large amount of assets (e.g., ETH) to the contract, manipulating the asset-to-share ratio. When subsequent users deposited, they received almost no shares, allowing the attacker to redeem their single share for nearly all the vault’s assets. The loss was approximately $50,000. The protocol focuses on on-chain options and yield vaults; this incident affected a specific new vault. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 50,000.
- chain
- —
- protocol
- Thetanuts Finance
- bug_class
- accounting
- date_occurred
- 2026-04-20
- loss_usd
- $50,000
- source_id
- sm:thetanuts-finance::2026-04-20