Thorchain halts trading after $10 million cross-chain exploit

[Oshosondy]

Thorchain’s RUNE token fell about 12% following the news after the exploit.

Wallets linked to the attacker currently hold roughly 3,443 ETH, 36.85 BTC and 96.6 BNB, while Thorchain’s RUNE token fell about 12 percent following the news.

Totally amount seen so far is $10.8 million across Bitcoin, Ethereum, BSC, and Base.

https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12

I have also been seeing the exploit on X.

[cLoazyL]

Thorchain’s RUNE token fell about 12% following the news after the exploit.

Wallets linked to the attacker currently hold roughly 3,443 ETH, 36.85 BTC and 96.6 BNB, while Thorchain’s RUNE token fell about 12 percent following the news.

Totally amount seen so far is $10.8 million across Bitcoin, Ethereum, BSC, and Base.

https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12

I have also been seeing the exploit on X.

The DPRK is also targeting places where they exchanged their dirty money, very interesting

[Yamane_Keto]

THORChain protocol team did not release any technical details, but it is worth noting that the protocol processed $394 million at the same time as the hack. I think hackers exploited this and found a vulnerability by making the contract believe a large deposit had been made, and then requested a refund, which leads to draining liquidity pools.

[cLoazyL]

THORChain protocol team did not release any technical details, but it is worth noting that the protocol processed $394 million at the same time as the hack. I think hackers exploited this and found a vulnerability by making the contract believe a large deposit had been made, and then requested a refund, which leads to draining liquidity pools.

You have some details there: https://x.com/depouch/status/2055275129333023113

But I'm still waiting for more informations!!

[TryNinja]

The DPRK is also targeting places where they exchanged their dirty money, very interesting

Money is money. They have no problem exploiting their own bridges.

At the end of the day, Thorchain will come back and they will keep using it.

[Bitcoin_Arena]

The DPRK is also targeting places where they exchanged their dirty money, very interesting

But how do people come up with theories that for some reason the massive hacks are always linked to the Democratic People's Republic of Korea? Even when the funds are just seated in some yet-to-be-identified addresses, the immediate suspect is North Korea. Back in the day it would also be Russian hackers or something along those lines. For some reason we never hear about anything about hackers from the UK or hackers from the US. Quite suspicious, isn't it?

[OmegaStarScream]

But how do people come up with theories that for some reason the massive hacks are always linked to the Democratic People's Republic of Korea? Even when the funds are just seated in some yet-to-be-identified addresses, the immediate suspect is North Korea. Back in the day it would also be Russian hackers or something along those lines. For some reason we never hear about anything about hackers from the UK or hackers from the US. Quite suspicious, isn't it?

It's usually the chain analytics companies that end up with that conclusion but in this hack, I don't believe anyone confirmed this.
@Oshosondy There are currently some fake accounts on X giving people links to claim their "losses", these are all fake[1] but somehow... Cointelegraph managed to fall for this and released an article about it[2].

[1] https://x.com/THORChain/status/2055593187922587697
[2] https://cointelegraph.com/news/thorchain-confirms-10m-exploit-rolls-out-recovery-portal-for-affected-users

[bitmover]

THORChain protocol team did not release any technical details, but it is worth noting that the protocol processed $394 million at the same time as the hack. I think hackers exploited this and found a vulnerability by making the contract believe a large deposit had been made, and then requested a refund, which leads to draining liquidity pools.

Lots of hacks happening because of AI. Those AI models are getting ververygood in finding bugs andy exploiting systems.

[Bitcoin_Arena]

>>snip<<

I second @OmegaStarScream

This is yet again another scam attempt. Just because an X account has a blue checkmark does not mean that it is legitimate, especially these days when it is worth a few bucks.

The official domain name: https://swap.thorchain.org/

Scam domain name:

Code:

https://revoke-thorchain.org/

The domain name was just registered yesterday 

Details

Code:

Domain: revoke-thorchain.org
Registered On: 2026-05-15
Expires On: 2027-05-15
Updated On: 2026-05-15

[honglu69]

Thorchain is hacked again and swap halted. Thorchain is over rated due to security risk and komodo dex tech is underrated. Nobody understand thorchain source code other than it's dev. Too complicated while komodo wallet dex source code is a lot easier to understand and its source code is 100% open sourced and komodo fork Cheetahdex wallet/dex is readily available for those who want to run wallet dex to trade immediately.

[Oshosondy]

Thorchain is hacked again and swap halted. Thorchain is over rated due to security risk and komodo dex tech is underrated. Nobody understand thorchain source code other than it's dev. Too complicated while komodo wallet dex source code is a lot easier to understand and its source code is 100% open sourced and komodo fork Cheetahdex wallet/dex is readily available for those who want to run wallet dex to trade immediately.

Some people will think only centralized exchanges can be hacked, but it is not like that. There has been few decentralized exchanges that have also been hacked, but the difference is that you do not have money on decentralized exchange unlike the centralized exchange rate you can have money, this reduce the chance that you may fall victim on a decentralized exchange.

[logfiles]

Thorchain is hacked again and swap halted. Thorchain is over rated due to security risk and komodo dex tech is underrated. Nobody understand thorchain source code other than it's dev. Too complicated while komodo wallet dex source code is a lot easier to understand and its source code is 100% open sourced and komodo fork Cheetahdex wallet/dex is readily available for those who want to run wallet dex to trade immediately.

No system is 100% secure, once in a while an attacker can make a break through. The source code being 100% open source does not make the service immune to attacks. There will always be new bugs even when an update is made.

I read their tweet, and they said that no user lost their funds in the attack but rather protocol owned funds so at least this is a sigh of relief to the users. Had it been a centralized exchange, it would be a whole new different thing.

[honglu69]

Thorchain is hacked again and swap halted. Thorchain is over rated due to security risk and komodo dex tech is underrated. Nobody understand thorchain source code other than it's dev. Too complicated while komodo wallet dex source code is a lot easier to understand and its source code is 100% open sourced and komodo fork Cheetahdex wallet/dex is readily available for those who want to run wallet dex to trade immediately.

No system is 100% secure, once in a while an attacker can make a break through. The source code being 100% open source does not make the service immune to attacks. There will always be new bugs even when an update is made.

I read their tweet, and they said that no user lost their funds in the attack but rather protocol owned funds so at least this is a sigh of relief to the users. Had it been a centralized exchange, it would be a whole new different thing.

no user "lost" fund in thorchain eco system is false claim.  Thorchain Liquidity pool owner is "user",  LP user lost a lot in the past. They even closed redeeming pushed all loss to LP users.  by the way, LP users initially were attracted by fat yield and the "Impermanent loss protection guarentee" which was later removed.

At best, thorchain is bait and switch to LP owners.  Yes, DEX is good, but komodo dex and Cheetahdex is another dex technology too based on atomic swap tech base, not thorchain alone.

[_act_]

no user "lost" fund in thorchain eco system is false claim.  Thorchain Liquidity pool owner is "user",  LP user lost a lot in the past. They even closed redeeming pushed all loss to LP users.  by the way, LP users initially were attracted by fat yield and the "Impermanent loss protection guarentee" which was later removed.

At best, thorchain is bait and switch to LP owners.  Yes, DEX is good, but komodo dex and Cheetahdex is another dex technology too based on atomic swap tech base, not thorchain alone.

I do not know about THORChain until recently, and logfiles is referring to the recent attack, not all the attacks on THORChain, which I do not know about.

According to what has been online, attackers exploited the protocol's asgard vaults, but only the protocol's funds were affected, while the users funds are protected. No user has also come out to say he is affected.

Those that are saying there is a recovery for users that lost money are all scam and fake recovery because no one is affected.

THORChain developers are genius.

[honglu69]

In dex world,  more competition is better.  We need more dex wallet option, not just use Thorchain. For users, we should separate trader as user in one bucket, and yield earner user as another bucket as "yield user".  For yield user, Thorchain LP business model is dead. The team need to put up market making liquidity dollar to support pairs. The team needs to put $25k to $50k USD into thorchain to get huge liquidity benefit for traders.

Thorchain:  great for trader users, sucks for yield earner because it is almost scam for LP users. Do not put your coins into Thorchain into LP.  Other than LP, I do believe thorchain is great DEX product and has its real true usage and trade off.  Team usually need to put up LP to support, $25k to $50K USD equivalent for market making  like CEX based on newest info there.

AMM ERC traditional style: great, but only works for BNB ETH style EVM chain.


Komodo dex:  great for decentralization, open sourced fork like Cheetahdex allowing trading. It has problem on liquidity. But open sourced tool available to allow team to deploy liquidity into wallet DEX. True decentralized P2P swap and wallet.   Why not consider putting some liquidity into true P2P like Komodo dex (cheetahdex), you own code, put up some seednode spinning running.  very low risk of hack.  

[Yamane_Keto]

Some people will think only centralized exchanges can be hacked, but it is not like that. There has been few decentralized exchanges that have also been hacked

We cannot call 'hacking' to decentralized system. If a DEX was hacked, it is definitely centralized. What happened with Thorchain was the exploitation of a vulnerability that led to the loss of funds from liquidity providers, and those who use the protocol to conduct the exchange are not harmed.

[Oshosondy]

Some people will think only centralized exchanges can be hacked, but it is not like that. There has been few decentralized exchanges that have also been hacked

We cannot call 'hacking' to decentralized system. If a DEX was hacked, it is definitely centralized. What happened with Thorchain was the exploitation of a vulnerability that led to the loss of funds from liquidity providers, and those who use the protocol to conduct the exchange are not harmed.

And it is not hacked? What are you explaining. You said what happened with Thorchain was the exploitation of a vulnerability that led to the loss of funds from liquidity providers. So what is that?

Even I have heard of Bisq and few other decentralized exchanges that were hacked. Not hackers that exploited them?

[b1ack]

🚨 ALERT 🚨

We have identified unauthorized outbound transactions from one of the Asgard vaults. As a result, funds were lost from that vault.

This investigation is still in its very early stages, and the information below is preliminary and subject to change as we continue analysis. We ask the community to give the node operators and development teams time to complete a thorough investigation before drawing conclusions.

What we currently know:

One of the six Asgard vaults appears to have been compromised.
Current estimates place the loss at approximately $7.4m USD.
The network automatically detected the abnormal behavior and halted signing activity, which alerted the broader community and prevented further outbound activity.
Node operators securing the vault maintain bonded RUNE which is subject to slashing in the event of unauthorized outbound transactions.
Churn activity has been paused while the investigation is ongoing and remediation steps are evaluated.
As a result, onboarding of additional chains and any operations requiring churns will be delayed until the network is stabilized.

At this stage, the root cause has not yet been determined.

Current areas under investigation include:
A potential vulnerability in the GG20 implementation layer
Infrastructure or operational compromise affecting a sufficient number of nodes
Other attack vectors that could have enabled unauthorized signing activity

At this time, we do not have evidence supporting any specific conclusion, and we want to avoid premature assumptions until the investigation is complete.

We are asking all node operators to immediately review their infrastructure, hosts, key management systems, and operational security for any signs of compromise or abnormal behavior, and to report anything suspicious to the dev team.

Additionally, node operators participating in the affected vault are requested to securely provide Bifrost logs to the dev team for analysis using make relay.

We will continue to provide updates as we learn more.

🚨 ALERT 🚨

Developers and THORSec have been investigating today’s incident continuously throughout the day. While new information may still emerge, I want to provide the community with an update based on what we currently know.

The goal of this update is to clarify the current understanding of the situation as accurately and transparently as possible.

A newly churned node, thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, which entered the network several days ago, is currently believed to be associated with the attack. Developers have identified links between Ethereum addresses used to acquire and bond RUNE for this node, and Ethereum addresses that later received the stolen funds. Based on current evidence, it is believed this was conducted by a single malicious operator, though the investigation remains ongoing.

At this time, the leading theory is the attacker exploited a vulnerability within the GG20 TSS implementation which allowed sensitive key material from vault participants to leak over time. By accumulating enough leaked information, the attacker was ultimately able to reconstruct the vault’s TSS private key and execute unauthorized outbound transactions.

The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible.

Due to multiple node operators executing make pause, the network is currently paused. Unless further action is taken, the pause state will automatically expire in approximately 12 hours. At this time, the development team is comfortable allowing the pause to expire in order to restore RUNE transfers and chain observation activity.

However, trading, signing, LP actions, and other sensitive operations will remain paused until the network and community align on a comprehensive recovery and remediation plan.

The recovery process will likely require node governance decisions regarding how losses are ultimately handled. Several potential approaches are already being discussed, including:

Slashing the bond of nodes participating in the affected vault
Allowing Protocol-Owned Liquidity (POL) to absorb the loss
Additional recovery proposals that may emerge from the broader community

At this stage, no final decisions have been made.

The team is continuing to work on a complete recovery and restart plan for the network. Bringing trading and full functionality back online will likely take several days, and potentially longer depending on the complexity of the chosen remediation path.

We will continue to provide updates as more information becomes available.

Finally, I want to thank the developers, node operators, security contributors, and the broader THORChain community for the enormous amount of work done today. One of THORChain’s greatest strengths has always been the community’s ability to come together under pressure, collaborate quickly, and solve difficult problems together.




This is their official response