THORChain restores full operations after $10.7 million exploit on June 23

THORChain restores full operations after $10.7 million exploit on June 23

Davis Washington Published:

By

THORChain has officially restored full operations as of Tuesday, June 23, 2026, ending a 39-day network halt caused by a $10.7 million security exploit. The decentralized cross-chain protocol brought signing, churning, swaps, and liquidity provider (LP) actions back online just before 3 a.m. ET, following more than five weeks of offline verification and patching.

The network originally froze operations on May 15, 2026, after developers detected abnormal behavior within one of the protocol’s six Asgard vaults. While the network successfully halted signing activity and trading within minutes of the detection, an attacker had already managed to initiate approximately $7.4 million in unauthorized transactions. Final estimates later confirmed total losses reached $10.7 million.

RUNE, the protocol’s native token, was trading at approximately $0.42 at the time of the restart announcement. This represents a stabilizing period for the asset, which had plunged more than 21% in the days immediately following the May 15 breach.

Anatomy of the GG20 Threshold Signature Scheme exploit

Investigation into the breach revealed that a malicious node operator, who had joined the THORChain network just two days prior to the attack, was responsible for the drain. The attacker leveraged a vulnerability in the GG20 Threshold Signature Scheme (TSS). During the network’s signing ceremonies, the perpetrator was able to reconstruct a full private key through a process described as “progressive leakage of key material.”

With the reconstructed private key in hand, the attacker bypassed the GG20 signing ceremony entirely. This allowed them to sign and broadcast unauthorized outbound transactions directly to external blockchains. The initial estimated losses included 36.75 BTC, valued at roughly $3 million, alongside $7 million in assets from Ethereum, BNB Chain, and Base.

The technical failure forced a re-evaluation of how the protocol secures its distributed keys. To address these vulnerabilities, THORChain developers deployed a major upgrade on June 9, 2026, to fix the specific GG20 flaw. Subsequent updates on June 11 introduced stability improvements and the KeyVerify protocol to the network’s architecture.

Impact across multiple blockchain vaults

While early reports focused on a few core chains, the full extent of the exploit covered a wide range of integrated networks. Funds were drained from vaults across at least nine chains, including Bitcoin, Ethereum, BNB Chain, Base, Avalanche, Dogecoin (DOGE), Litecoin, Bitcoin Cash, and XRP.

To handle the financial fallout without diluting the token supply, THORChain opted to use protocol-owned liquidity to absorb the $10.7 million loss. This decision ensured that user funds remained safe while avoiding the minting of new RUNE tokens to cover the deficit. This focus on protocol-level security aligns with broader industry discussions, where leaders like Brian Armstrong have argued that finance must move on-chain to ensure transparency and long-term viability.

Recovery roadmap and coordination with Maya Protocol

The 39-day halt was characterized by a gradual recovery strategy that prioritized security over a rapid restart. The process involved a complete migration to a new set of vaults and the verification of every validator keyshare. Developers confirmed that every vault was checked before the system was authorized to go live once more.

Coordination with the Maya Protocol team proved vital during the downtime. Maya, a friendly fork of THORChain, helped maintain a level of cross-chain liquidity while the main THORChain network was in its six-week hibernation. This allowed for some continued activity in the ecosystem even as the primary network’s Asgard vaults remained locked.

The final steps of the restart required node operators to approve version 3.19.0 of the protocol. This software iteration introduced a “quarantine” mechanism for compromised vaults. This feature is intended to allow the network to isolate suspicious activity in the future without necessitating a total network shutdown.

Future integrations and the drive for deeper liquidity

Despite the significant setback, THORChain is proceeding with its development schedule for the remainder of the year. The official announcement listed native Monero (XMR) swaps as the next major feature. End-to-end testing for XMR is already complete, with a mainnet launch described as being on the horizon. Following Monero, the protocol plans to introduce support for Zcash (ZEC).

The development team also indicated that support for the Bittensor network is expected at a later date. These expansions are part of a broader push to restore the Total Value Locked (TVL) on the platform, which currently sits at approximately $53 million. This is a significant drop from the $80 million recorded on the day of the exploit, and far below the peak of $500 million seen in March 2024.

The protocol’s struggle to regain its footing comes at a time of shifting market sentiment. While some segments of the market have faced pressure, others have seen localized growth, such as when tokens like Near Protocol and Hyperliquid surged during the previous month. THORChain’s recovery will likely depend on the performance of its new security protocols and the successful rollout of its planned privacy coin integrations.

Network status and ongoing security measures

As of the restart, THORChain’s daily trading volume has reached approximately $16.29 million. All core functions, including “churning”—the process where the network regularly rotates node operators and reshuffles keys—are functioning normally. This process is essential for maintaining the decentralized integrity of the Bitcoin DEX.

Developers have urged the community to remain vigilant as the network re-establishes liquidity depth. The team noted that the successful recovery owed much to the work of the node operators and the dev team who facilitated the migration. The introduction of the dynamic fee system and deeper liquidity optimization remain ongoing projects aimed at making the protocol more resilient to market volatility.

This incident marks the third significant security milestone in THORChain’s operational history. The protocol previously suffered two compromises in July 2021, and its founder was personally targeted in a 2025 security incident. Cumulative losses since 2021 are now estimated to be approaching the $25 million mark, highlighting the high-stakes nature of cross-chain liquidity provision. All functions are now being monitored by security partners to prevent any further progressive leakage of key material.