THORChain resumes trading more than a month after $10.7m vault exploit

THORChain, a decentralized cross-chain liquidity network, has resumed trading more than a month after a vault exploit drained roughly $10.7 million, bringing the protocol back online after a staged recovery built around security upgrades and a carefully sequenced restart. The reopening marks the end of an extended pause that froze swaps and other core functions across the network.

The trouble began in mid-May, when an attacker drained about $10.7 million from one of the protocol's vaults. According to the project's incident reports, the breach stemmed from a weakness in the threshold-signature scheme used to control those vaults, a system that lets a rotating set of validators jointly authorize transactions without any single operator holding the full private key. Investigators concluded that a newly added node had exploited the flaw, gradually leaking enough key material to reconstruct a vault's signing key. Automated solvency checks detected the imbalance and halted signing within minutes, after which operators paused trading and other sensitive operations while the issue was triaged. The protocol's other vaults were unaffected.

The response leaned heavily on a governance-approved recovery framework designed to make affected users whole without inflicting fresh damage on token holders. Rather than minting new units of its native token to cover the shortfall, the protocol drew on its own reserves, an approach intended to avoid diluting existing holders even if it temporarily reduces the depth of its liquidity pools. A recovery portal was opened so that affected users could verify and claim compensation through a self-custodial process, with the refund pool provisioned to match the estimated losses. The protocol also opened a bounty window aimed at encouraging the attacker to return funds and moved to penalize the validator linked to the breach while shielding innocent nodes that shared the same vault.

On the technical side, the restart hinged on a software upgrade containing patches to the signature system, a mechanism to quarantine a compromised vault so it can be isolated from transaction processing while remaining visible to the network, and additional checks to verify the integrity of validators' key material before signing resumed. Once validators approved the upgrade, the network worked through a sequence of vault, migration and key verification steps, reopening signing, asset functions, liquidity actions and trading in stages rather than all at once.

The episode is a reminder of how exposed cross-chain infrastructure remains. Protocols that move assets natively between blockchains have repeatedly ranked among the most targeted in decentralized finance, with cumulative losses running into the billions over the years, because each additional chain and connector widens the attack surface. THORChain in particular has weathered several earlier incidents and, given its role in seamlessly converting assets across networks, has also drawn scrutiny as a venue used to launder proceeds from other hacks. With trading restored, attention now shifts to whether the hardening measures hold up and whether the network can rebuild the confidence of liquidity providers and users in the wake of the breach.