- Trending
- Comments
- Latest
THORChain has launched a recovery portal for users affected by a $10 million exploit on May 11 that forced the protocol to halt trading across Bitcoin, Ethereum, BNB Chain, and Base, the latest high-profile security breach to hit cross-chain DeFi infrastructure.
In a statement published Saturday, the THORChain Foundation confirmed that affected users can now revoke malicious approvals, review compensation estimates, and submit claims through a treasury-backed refund system.
The protocol said claims will remain open for 21 days, with unclaimed funds eventually redirected to THORChain’s insurance reserve.
The exploit was first detected at approximately 02:14 UTC on May 11 after node operators identified suspicious outbound transactions from one of THORChain’s Asgard vaults.
Trading and outbound signing operations were paused within minutes in an effort to contain losses.
According to blockchain security firm PeckShield, attackers drained 36.75 BTC, worth roughly $3 million alongside an additional $7 million in assets spanning Ethereum-compatible chains.
THORChain developers believe the exploit may have originated from a vulnerability in the protocol’s GG20 threshold signature scheme (TSS), a cryptographic system used to secure cross-chain vault operations.
The protocol also disclosed that a newly churned validator node entered the network days before the attack and is now believed to be connected to the exploit.
Investigators reportedly identified on-chain links between the validator’s bonding addresses and wallets receiving the stolen assets.
THORChain said it is working alongside blockchain analytics firm Outrider Analytics and law enforcement agencies to trace the funds and identify the attacker.
Blockchain investigator ZachXBT was among the first to publicly flag the suspicious activity, while PeckShield independently traced wallet movements associated with the exploit.
The attack marks another high-profile security incident for THORChain, a protocol designed to facilitate native asset swaps across multiple blockchains without relying on wrapped tokens or centralized custodians.
While cross-chain interoperability has become one of DeFi’s fastest-growing sectors, security researchers increasingly warn that the architecture introduces multiple layers of operational and cryptographic complexity.
“Cross-chain security complexity scales multiplicatively, not additively,” one Reddit analysis discussing the exploit noted, reflecting broader concerns within the crypto community about multi-chain attack surfaces.
The exploit also triggered a sharp market reaction. THORChain’s native RUNE token fell roughly 13% following reports of the breach as traders assessed the potential long-term implications for the protocol’s security model.
The incident adds to a difficult year for decentralized finance security. Crypto-related hacks surged in April, with losses nearing $630 million industry-wide, according to several blockchain security trackers.
Analysts say attackers are increasingly targeting validator infrastructure, bridges, and privileged access systems rather than traditional smart contract flaws.
Despite the scale of the exploit, THORChain maintains that user assets remain recoverable through the newly established refund mechanism.
The protocol said approximately 12,847 wallets across four chains were affected by the attack. Users must submit claims before the June 4 deadline to qualify for compensation.
For crypto investors, the breach highlights a growing dilemma in decentralized finance: protocols that enable seamless interoperability often offer substantial utility and liquidity efficiency.
As investigations continue, market participants will likely watch closely for evidence of whether THORChain’s treasury-backed compensation strategy can restore confidence.
Copyright © 2025 - The Bit Gazette.
