- Trending
- Comments
- Latest
A major Thorchain exploit has shaken the decentralized finance sector after attackers drained an estimated $10 million to $11 million from the protocol by manipulating its vault churn process across multiple blockchains.
The Thorchain exploit was first flagged Friday by prominent onchain investigator ZachXBT, who initially estimated losses above $7.4 million before later revising the figure upward as additional compromised assets were identified. The attack affected vaults connected to Bitcoin, Ethereum, BNB Smart Chain, and Base.
According to preliminary findings, the Thorchain exploit centered on the protocol’s “vault churn” mechanism, a core operational process that rotates node operators while redistributing assets secured through threshold signature schemes. Attackers allegedly inserted malicious destination addresses into that migration flow, allowing unauthorized transfers to be approved during the churn cycle.
Security researchers say the Thorchain exploit demonstrates how even decentralized systems without single admin keys can still face operational vulnerabilities during automated asset coordination.
Blockchain monitoring firms tracking the Thorchain exploit identified significant losses across multiple assets. Stolen funds reportedly include roughly 3,443 ETH valued at around $7.77 million, 36.85 BTC worth approximately $2.97 million, and nearly 96.6 BNB valued at roughly $66,000.
Early estimates tied to the Thorchain exploit also included approximately 798,000 USDC, though investigators continue reconciling wallet movements across chains.
Three theft addresses connected to the Thorchain exploit were publicly flagged on Bitcoin and Ethereum networks shortly after the breach. Blockchain security companies including PeckShield and Cyvers have since been monitoring those wallets for signs of laundering or cross-chain movement.
The stolen funds appear largely dormant at the time of publication, though analysts caution that attackers may still attempt to route assets through mixers, bridges, or privacy-focused protocols.
Node operators responded quickly after confirmation of the Thorchain exploit by activating the protocol’s decentralized emergency shutdown system using Thorchain’s Mimir governance settings.
The emergency response temporarily halted swaps, vault churning, and signing activity across affected chains beginning around block 26190429. Native RUNE transactions continued operating in limited form, but liquidity providers and traders were effectively locked out of core cross-chain functions.
The Thorchain exploit immediately impacted market sentiment surrounding the protocol’s native token. RUNE fell between 12% and 15% within hours after ZachXBT’s alert circulated through crypto markets. Prices dropped from approximately $0.58 to near $0.50 across major exchanges as traders reacted to the scale of the breach.
As of publication, the official THORChain X account had not released a full public statement regarding the Thorchain exploit, and no official post-mortem had yet been published by node operators.
The Thorchain exploit has renewed scrutiny around the protocol’s vault migration architecture, which has long been considered one of its most technically sensitive components.
Thorchain operates through a decentralized network of more than 90 nodes and was specifically designed to avoid centralized custodians, wrapped assets, and single points of failure. That architecture helped the protocol withstand several previous market disruptions, but security researchers now say the churn mechanism itself may represent a recurring attack surface.
“This appears to be an operational exploit rather than a consensus-level failure,” one blockchain security analyst wrote following the Thorchain exploit. “The protocol’s decentralization remained intact, but the migration logic was manipulated during a critical process.”
The Thorchain exploit also follows earlier security incidents involving the protocol. In July 2021, attackers exploited vulnerabilities tied to Thorchain’s Ethereum router integrations, draining between $4.9 million and $8 million in separate attacks. At the time, the team paused network activity and later reimbursed users from treasury reserves.
While the technical profile differs, the latest Thorchain exploit again targets infrastructure tied to asset movement and liquidity coordination.
The Thorchain exploit arrives during a period of increased scrutiny surrounding the protocol’s role in cross-chain liquidity flows.
Throughout 2025 and early 2026, blockchain investigators repeatedly linked Thorchain infrastructure to large-scale fund movements connected to high-profile hacks, including the massive Bybit Hack attributed to North Korea’s Lazarus Group.
Investigators also tracked significant ETH-to-BTC swaps through Thorchain following the KelpDAO incident involving more than $175 million in assets.
Those transactions generated substantial fee revenue for the protocol but also drew criticism from compliance experts and regulators who argued decentralized liquidity systems were becoming increasingly difficult to monitor.
The latest Thorchain exploit is likely to intensify those concerns, especially as regulators globally continue debating how decentralized protocols should handle security, governance, and anti-money laundering responsibilities.
For now, users affected by the Thorchain exploit remain in limbo while investigators and node operators continue examining the breach.
Liquidity providers have been urged to avoid interacting with the protocol until services resume and security reviews are completed. Analysts expect Thorchain developers and node operators to publish a detailed technical breakdown explaining how the exploit occurred and whether any user reimbursements will follow.
The Thorchain exploit also highlights a broader issue facing decentralized finance infrastructure: operational complexity itself can become a security liability, especially when protocols manage assets across multiple chains simultaneously.
As investigations continue, traders and liquidity providers are closely watching Thorchain’s next steps. Whether the protocol can restore confidence after another major security incident may determine how aggressively institutional users and large liquidity providers engage with decentralized cross-chain systems going forward.
Copyright © 2025 - The Bit Gazette.
