THORChain Hit by $10M+ Cross-Chain Exploit: Protocol Halts Trading Amid Vault Churn Vulnerability

Decentralized cross-chain liquidity protocol THORChain has suffered a significant security breach, with losses estimated between $10 million and $11 million across multiple blockchains. The incident prompted an immediate global trading halt as node operators responded to the attack.

On-chain investigator ZachXBT first flagged the exploit via his Telegram channel, initially reporting losses exceeding $7.4 million before figures were revised upward. The attack affected THORChain vaults on Bitcoin, Ethereum, BNB Smart Chain (BSC), and Base. Attacker-controlled wallets currently hold approximately 3,443 ETH (worth around $7.77 million), 36.85 BTC (about $2.97 million), 96.6 BNB, and additional tokens.

How the Exploit Unfolded

According to preliminary analyses, the attackers exploited the vault churn process — a routine mechanism in THORChain where node operators rotate and assets are redistributed using threshold signature schemes. By employing address poisoning techniques during this migration, the attackers reportedly injected malicious addresses, tricking the system into authorizing unauthorized transfers.

One detailed breakdown suggests the attacker gained _vaultAllowance over a THORChain vault during what appeared to be a legitimate ERC20 vault migration on Ethereum. This allowed them to sign outbound transactions. Reports indicate the attacker may have operated as a legitimate validator for a couple of days prior to draining funds.

The protocol’s Mimir governance module was used to activate trading and signing halts. A node pause was implemented for roughly 12+ hours starting around block 26190429 to contain further damage.

Market Reaction and Impact

THORChain’s native token, RUNE, plunged sharply on the news, dropping 12-15% within minutes. It fell from around $0.58 to near $0.50, reflecting immediate market concern over the protocol’s roughly $1 billion in total value locked (TVL) and overall security.

No official post-mortem has been released by the THORChain team as of the latest reports, though node operators and security firms like PeckShield and Cyvers are actively monitoring the situation. Users are advised to remain cautious, revoke approvals where relevant, and await further updates before resuming interactions.

Context Within THORChain’s History

This is not the first security incident for THORChain. Previous exploits, including ETH router attacks in 2021 that drained millions, were covered by the treasury, and the protocol implemented fixes. THORChain has positioned itself as a decentralized alternative for native cross-chain swaps, avoiding wrapped assets and centralized intermediaries. However, cross-chain bridges and liquidity protocols remain high-risk targets in DeFi, with over $2.8 billion stolen industry-wide since 2021.

In recent months, THORChain has also been used as a routing path for funds from other major exploits (such as those involving Kelp DAO), generating substantial fees for the protocol but drawing scrutiny.

What’s Next?

THORChain’s decentralized structure—with dozens of independent nodes and no single admin key—helped limit the blast radius through rapid community response. A full investigation and detailed post-mortem are expected soon. The incident underscores the persistent challenges in securing complex cross-chain infrastructure, even in mature protocols.

As the situation develops, liquidity providers and users should monitor official THORChain channels for resumption of services and security recommendations. This event serves as a timely reminder of the trade-offs between innovation in DeFi and the ever-present need for robust security measures.

Disclaimer:

The information provided through this channel does not constitute financial advice and should not be construed as such. This content is for purely informational and educational purposes. Financial decisions should be based on a careful evaluation of your own circumstances and consultation with qualified financial professionals. The accuracy, completeness or timeliness of the information provided is not guaranteed, and any reliance on it is at your own risk. Additionally, financial markets are inherently volatile and can change rapidly. It is recommended that you conduct thorough research and seek professional advice before making significant financial decisions. We are not responsible for any loss, damage or consequences that may arise directly or indirectly from the use of this information.