THORChain Resumes Trading After $10.7M Hack Recovery

What Happened

On May 15, an attacker targeted one of THORChain’s Asgard vaults, exploiting a weakness in the protocol’s GG20 TSS security system. Investigators determined the attacker was a node operator who had joined the network just two days before launching the exploit. The breach affected assets across at least nine blockchains including Bitcoin, Ethereum, and BNB Chain.

THORChain’s automatic solvency mechanisms detected the unusual activity and halted signing operations, preventing further damage. Without this safeguard, losses could have extended significantly beyond the initial $10.7 million.

How the Recovery Worked

Unlike many DeFi recovery efforts that issue new tokens to cover losses, THORChain took a different approach. The protocol relied on protocol-owned liquidity to stabilize the network and rebuild confidence before reopening. This non-dilutive recovery strategy aimed to shield RUNE token holders from the dilution that typically accompanies emergency token issuance.

The exploit initially caused RUNE to drop between 12% and 15% in market value. However, the decision to avoid new token minting helped limit further downward pressure on the asset during the recovery period.

Full Operations Restored

THORChain confirmed that all core functions are now operational. This includes transaction signing, node churning, secured and trade assets, liquidity provider actions, and swaps. The platform describes itself as the world’s leading Bitcoin DEX, and the reopening marks the return of full cross-chain liquidity services.

The restart follows extensive security upgrades, vault migrations, and verification procedures designed to prevent similar breaches in the future. However, the work is far from complete. Governance discussions are now focused on replacing the vulnerable GG20 threshold signature system with alternative security architectures.

A Troubling Pattern

This incident marks THORChain’s third major exploit since 2021. Cumulative losses associated with attacks on the protocol have now approached $25 million, according to security firm TRM Labs. This track record has raised serious questions about the protocol’s security approach and its effectiveness at protecting user assets.

The incident has also reignited debates over how decentralized networks can adequately defend against insider threats. An attacker who joined the network just 48 hours before the exploit suggests that node operator vetting processes may need significant strengthening.

Broader Challenges Ahead

Beyond the immediate restart, THORChain faces mounting pressure from multiple angles. The protocol suspended its ThorFi lending business in 2025 due to insolvency concerns. Additionally, regulators and compliance firms have highlighted THORChain’s role in facilitating cross-chain transfers linked to major crypto hacks, raising questions about how extensively the platform is being used for potentially illicit purposes.

The reopening represents an important milestone for restoring confidence in one of crypto’s largest cross-chain liquidity networks. However, the protocol’s team must now convince users to re-engage with the platform while developing an effective strategy to address security vulnerabilities and regulatory scrutiny. Whether THORChain can overcome this credibility challenge remains an open question.