THORChain has resumed trading and network operations after a more than five week shutdown triggered by a $10.7 million exploit, marking the latest chapter in the protocol’s efforts to strengthen security and restore user confidence.
Key Takeaways
- THORChain has fully resumed trading, swaps, signing, churning, and liquidity provider actions after more than five weeks offline.
- The protocol suffered a $10.7 million exploit on May 15 after a malicious node operator abused a vulnerability in the GG20 threshold signature scheme.
- Losses were absorbed through protocol owned liquidity, avoiding additional RUNE token issuance.
- The recovery included vault migrations, keyshare verification, security upgrades, and plans for new integrations including Zcash, Monero, and Bittensor.
What Happened?
THORChain has restarted core network operations after spending more than a month conducting security reviews, vault migrations, and software upgrades following a major exploit in May. The decentralized cross chain liquidity protocol confirmed that trading, swaps, signing, churning, and liquidity provider actions are now live again.
The network was forced to halt operations on May 15 after a security breach resulted in approximately $10.7 million being drained from one of its Asgard vaults. The incident quickly drew attention from blockchain investigator ZachXBT and security firm PeckShield, which flagged suspicious activity across multiple blockchain networks.
Trading is live again on THORChain.
— THORChain (@THORChain) June 23, 2026
After more than a month offline, the network is fully back. Signing, churning, secured and trade assets, LP actions, and swaps are all up and running. The world’s leading Bitcoin DEX is open for business once again.
This recovery was never…
How the Exploit Unfolded?
According to THORChain, the attack stemmed from a vulnerability in its GG20 Threshold Signature Scheme, a cryptographic system designed to distribute private key control across multiple node operators.
The protocol said a malicious node operator exploited a flaw that allowed the gradual leakage of key material. By reconstructing a complete private key, the attacker gained unauthorized access to an Asgard vault and executed transactions across multiple supported blockchains.
The operator had reportedly joined the network only days before the exploit occurred, raising questions within the community about onboarding safeguards and validator security procedures.
Despite the breach, THORChain’s automated solvency monitoring systems detected unusual vault activity within minutes. Once vault balances exceeded predefined imbalance thresholds, the protocol automatically halted trading, signing, and other critical processes, helping limit the scale of the damage.
Recovery Focused on Security
THORChain emphasized that its recovery strategy prioritized security over speed.
Before restoring services, the protocol completed extensive verification of vault infrastructure and node keyshares. Through its KeyVerify process, the team confirmed the safety of active vaults and retired legacy vaults as part of a broader migration to newly secured vaults.
The protocol described the vault migration as one of the most important milestones in the recovery effort. Every node operator’s keyshare was also reviewed and verified before the network returned to full functionality.
THORChain additionally deployed multiple software upgrades during the downtime. An emergency patch was introduced in May to secure remaining vaults, followed by major upgrades in June that addressed the exploited vulnerability and improved network stability.
A notable aspect of the recovery was the decision to absorb losses through protocol owned liquidity reserves rather than minting additional RUNE tokens. This approach helped avoid further dilution of the token supply following the incident. After news of the exploit emerged in May, RUNE reportedly fell between 12% and 15%.
New Integrations Remain on Track
While recovering from the exploit, THORChain continued work on future network expansions.
The protocol said native Monero swaps are already functioning in testing environments and are expected to launch in the near future. Support for Zcash is also planned, alongside dynamic fee improvements and deeper liquidity enhancements.
Looking further ahead, THORChain intends to add support for Bittensor’s TAO token in the weeks following the network restart.
These planned integrations suggest the protocol is attempting to move beyond recovery mode and return its focus to ecosystem growth.
Community Debates Future Security Model
The exploit has sparked fresh discussion around whether THORChain should continue relying on the GG20 threshold signature scheme.
Many community members are now evaluating alternative cryptographic frameworks that could reduce the risk of similar attacks in the future. Supporters of a transition argue that stronger signing mechanisms could make key leakage attacks significantly more difficult to execute.
The debate is likely to remain a major topic as THORChain continues rebuilding trust following its third major security incident.
CoinLaw’s Takeaway
In my experience, the most important part of this story is not that THORChain was hacked, but how quickly the protocol detected the attack and contained the damage. The automated shutdown systems appear to have worked exactly as intended, preventing what could have become a much larger loss.
I also found the decision to absorb losses without issuing additional RUNE to be a meaningful signal. While the exploit exposed weaknesses in the GG20 security model, the recovery process appears thorough and transparent. Going forward, the biggest factor to watch will be whether THORChain adopts a stronger cryptographic framework that can prevent similar incidents from happening again.
