CRYPTO
THORChain’s 13-Hour Halt Caught a $10.8M Vault Drain Cold
THORChain’s cross-chain swap engine sat dark for nearly thirteen hours on May 15, after a newly seated validator quietly fed enough cryptographic material out of the network to drain about $10.8 million from its protocol vaults. User wallets were spared, with losses confined to liquidity owned by the protocol itself. The pause that contained the damage was triggered by a single node operator using the ‘make pause’ command, and that detail is the part of the story that matters past the weekend.
The Halt Worked Faster Than the Attacker
Block 26190429 is when the network froze. ZachXBT, the on-chain investigator whose alerts have anchored several recent breach disclosures, flagged unusual outflows from THORChain’s Asgard vaults that morning. PeckShield, a blockchain security firm, followed within minutes with a tally of affected assets and the chains they sat on.
The Mimir governance module flipped both the trading and signing parameters to halt across the four blockchains the exploit touched. By the time engineers restored normal activity, the freeze had run twelve hours and forty-two minutes. RUNE, the protocol’s native token, fell from about $0.58 to near $0.44 in the hours after the alert, a slide of roughly twenty-four percent before partial recovery. Market cap touched $157 million, a level RUNE last saw during the depths of the 2025 debt episode.
What the halt prevented is harder to measure than what it allowed through. An undisturbed exploit at vault-key depth could have continued through subsequent signing rounds, draining far past the figure that ended up booked.
- $10.8 million drained across four blockchains
- 36.75 BTC taken, worth about $3 million at attack-time prices
- 12 hours, 42 minutes of network downtime
- 24 percent drop in RUNE before partial recovery
Inside the GG20 Vault Crack
The leading theory traces the loss to a vulnerability in the GG20 threshold signature scheme (TSS, a cryptographic protocol that splits a wallet’s private key across multiple parties so no single one can spend funds alone). THORChain’s vaults rely on this scheme to hold native Bitcoin, Ethereum and other chain assets without wrapping them. The validator at the center of the exploit had joined the active node set only days before the attack, according to PeckShield and Chainalysis briefings.
The mechanic is not new. Fireblocks published a technical report in August 2023 documenting CVE-2023-33241, a Paillier key vulnerability in GG18 and GG20 that lets a malicious participant extract a full private key from as few as sixteen signing sessions in vulnerable implementations. The fix is straightforward in theory: validate that the Paillier modulus is correctly formed using a zero-knowledge proof. In practice, multiple production deployments shipped without that check, and several wallet libraries needed patches over the following two years.
If the THORChain attacker exploited the same family of weakness, the playbook ran like this. Bond enough RUNE to enter the active validator set during a vault churn, the regular process that rotates which nodes hold key fragments. Participate in signing rounds and collect leaked beta values across each round. After enough rounds, reassemble the full private key, then authorize outbound transfers from the vault as if you owned it.
The pre-attack work matters here. Bonding the validator slot, by Chainalysis’s account, was funded from a Hyperliquid position seeded with privacy-coin deposits weeks earlier. Whoever wrote this campaign understood both the cryptographic seam and the operational seam, and they built the validator on top of laundered seed capital.
The Hyperliquid-Monero Trail Was Weeks Old
Chainalysis, the blockchain analytics firm whose reports inform several US enforcement agencies, said the operation began in late April. A wallet linked to the attacker funded a Hyperliquid position by depositing Monero through the exchange’s privacy bridge. That position was swapped for USDC, withdrawn to Arbitrum, and bridged into Ethereum. From Ethereum, the attacker bonded RUNE through THORChain itself, securing the validator slot that would later become the attack vector.
Forty-three minutes before the first vault drain, eight ETH moved into the wallet that received the stolen funds. The timing is the kind of detail Chainalysis flags as planning rather than opportunism. State-aligned crews have spent years probing cross-chain infrastructure for similar setups; the September 2025 attack on THORChain co-founder John-Paul Thorbjornsen, which cost roughly $1.35 million in personal holdings, was attributed to North Korean threat actors using deepfake social engineering, and the same patterns surfaced in the broader DeFi outflows linked to Lazarus through Kelp DAO and Drift.
User Funds Survived, Protocol Liquidity Did Not
The single most important number in the post-incident reports is the one that did not move. Wallets controlled by users, including liquidity-provider positions and external swap recipients, were untouched. The losses sit entirely inside protocol-owned vaults, which is the liquidity the THORChain treasury and bonded nodes contribute to support trading.
| Asset Class | Approximate Loss | Where It Came From |
|---|---|---|
| Bitcoin | 36.75 BTC (about $3 million) | Asgard BTC vault |
| Ethereum, Base, BNB Smart Chain | About $7 million combined | Cross-chain vault holdings |
| User wallets | $0 | Untouched by the exploit |
| Liquidity-provider positions | $0 | Insulated from the vault drain |
That distinction is small comfort to RUNE holders watching token value contract, but it changes the post-mortem calculus. The protocol’s recovery portal, opened on May 16 and accepting claims through June 4, draws from a treasury-funded pool that THORChain says will cover compensation in full for affected positions. The treasury eats this loss directly rather than socializing it across users.
TRM Labs, a competitor analytics firm to Chainalysis, has separately traced movement of stolen assets across at least nine chains as the attacker began consolidating positions. Those tracking efforts compress the laundering window, which gives node operators and exchanges a real chance to flag deposits before they clear.
Six Exploits in Five Years
THORChain has been here before. The current incident is the sixth significant security event in the protocol’s operating history, and the second to bite at the cryptographic heart of the validator system rather than the surrounding routers or smart-contract scaffolding. The pattern is worth laying out, because it changes what ‘mature’ should mean for a network that has now been operating five years.
- 2021, ETH router exploits: Three back-to-back attacks on the Ethereum router cost roughly $15.5 million combined, exposing weak validation logic in the Bifrost bridge component.
- 2022, validator software bug: A non-deterministic node behavior bug disrupted consensus for about twenty hours; no funds were lost, but the network halted to repair.
- 2023, TSS key generation weakness: A separate vulnerability in threshold-signature key generation was detected and the network was halted before losses could be booked.
- January 2025, THORFi lending design: A flaw in the lending model trapped roughly $200 million in defaulted obligations, ultimately resolved by converting them into a new equity-style token.
- September 2025, co-founder targeting: A deepfake social-engineering attack on co-founder John-Paul Thorbjornsen yielded about $1.35 million in personal holdings.
- May 2026, GG20 vault attack: The current incident, with about $10.8 million drained across four chains.
Cumulative direct losses or trapped funds across these incidents land near $227 million on NullTX’s accounting, with an additional roughly $605 million in stolen property from other protocols routed through THORChain afterward. The number sits awkwardly next to a market cap of $157 million. Two of the six events touched validator or key infrastructure rather than peripheral code, which is the part of the chart that should worry holders most.
What the ‘Make Pause’ Button Tells You About Decentralization
Read the THORChain documentation on emergency procedures and the philosophical stance is candid. The ‘make pause’ command is described in the dev docs as ‘the big red button that stops everything.’ The community is, in the same document, exhorted to use it freely under the rallying cry ‘Halt Earn, Halt Often.’ Any single node operator can engage the brake for 720 blocks, roughly one hour, with additional pauses extending the freeze indefinitely.
Node Operators are supported by the community, developers and all stakeholders to make pause if there is any doubt.
That language sits a little awkwardly next to the marketing copy. Cross-chain DEXes (decentralized exchanges) are often pitched as the answer to centralized venue risk: no custodian to seize funds, no operator to censor trades, no kill switch outside code. The THORChain documentation says the opposite, plainly. There is a kill switch, several node operators hold the key to it, and the community supports its use ‘if there is any doubt.’ That is a different security model than the marketing suggests.
The trade-off is defensible. In a live exploit, the brake worked. Without it, the GG20 leak could have continued through subsequent signing rounds and drained vaults beyond the ceiling that capped this incident. But the same brake also explains why crypto Twitter spent the weekend arguing about THORChain’s governance structure rather than its math. The protocol is closer to a federated network with strong incentives than to a fully trustless system, and the halt made that visible to anyone reading the post-incident channels.
Compare this to the bridge exploits that have run uncontested through 2025, where attacks complete in under three minutes and fund movements clear in four seconds, outpacing alert systems by up to seventy-five times. THORChain has a brake. Most bridges do not. The honest framing is that THORChain bought security by accepting coordination, and the incident on May 15 proved the bargain works at least once.
The Recovery Portal and What Comes After
THORChain’s recovery portal accepts claims through June 4, with the protocol treasury underwriting compensation directly. The network resumed trading after the twelve-hour-plus pause, but with restricted signing parameters and additional monitoring on validator behavior. A full post-mortem has not been published as of this writing, and the absence is the variable that determines how the next month plays out.
The harder question is structural. If the cryptographic exploit vector is confirmed in the published report, every MPC (multi-party computation) cross-chain system using the same protocol family inherits the audit. Binance Custody and several other major vault operators have shipped patches over the past two years; whether every active THORChain validator runs a patched library is the kind of thing the post-mortem needs to name specifically. Fireblocks’s 2023 disclosure listed more than ten wallets and libraries with the same root weakness, and the patching record across the industry has been uneven.
What comes next splits cleanly. A detailed post-mortem this week, with a verifiable cryptographic fix and a public list of validators running patched libraries, makes the halt look like a defense that worked. A vague or delayed report makes the next exploit much more expensive to absorb, because the credit accumulated for this one’s containment evaporates the moment the second attack lands.
Disclaimer: This article is for informational purposes only and does not constitute investment, financial, or legal advice. Cryptocurrency and DeFi assets carry significant risk of loss, including from exploits, governance actions and protocol halts. Readers should consult a qualified financial professional before making decisions about RUNE or other digital assets. Figures and on-chain data are accurate as of May 18, 2026.
Boris Cherny Says He Stopped Writing Prompts and Started Writing Loops
Apple Is Lobbying for Chips From a Blacklisted Chinese Supplier
Average CEO Age Is a Decade Older Than in 2000, Korn Ferry Data Shows
Kumar Got Balls: Singapore’s Drag Pioneer on 30 Years of Boldness
Progress Software: Why a 34.8% Undervaluation Call Is Betting on the June 30 Print
Nothing Phone 4b Leak Tips Snapdragon 6 Gen 4, 5,400mAh Battery
OnePlus Nord 6 vs 13R: Which OnePlus Phone Offers Better Value?
The Best Prime Day Gaming Laptop Deals Still Worth Buying in 2026
OnePlus Nord Buds 4 Review: 52dB ANC at Rs 3,299 With 54-Hour Battery
Niamh Smyth’s Grok Fight With X Is Reshaping Ireland’s AI Bill
Google Search Profiles Build a Follow Graph Inside Discover
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
DGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
VinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Google DeepMind and A24 Sign $75 Million AI Partnership Deal
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
OpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers
Microsoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
PS5 Lead Hits 57.5M Over Xbox Series After March 2026 Sales
-
NEWS3 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
APPS2 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI3 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
AI4 days agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
CRYPTO2 months agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
AI3 weeks agoOpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers