THORChain Halts Trading After $10.8M Multi-Chain Vault Exploit

On May 15, 2026, an attacker drained approximately $10.8 million from THORChain's Asgard vaults in a coordinated exploit spanning at least nine blockchains, including Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. On-chain investigator ZachXBT first flagged unusual outflows around 09:45 UTC, prompting THORChain node operators to execute an emergency halt via the Mimir governance module at block 26190429. All trading, swaps, liquidity provider actions, and signing operations were frozen for approximately 13 hours. RUNE dropped from $0.58 to $0.50, a decline of roughly 15%. The exploit targeted a previously unknown vulnerability in THORChain's GG20 Threshold Signature Scheme (TSS) implementation. According to analysis from PeckShield, Cyvers, and THORChain's core security team, the attack involved the gradual leakage of vault key material during keygen or signing rounds. A rogue node identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q had joined the active validator set several days before the incident. Once enough key shards were reconstructed offline, the attacker forged outbound signatures from the Asgard vault without triggering normal quorum checks, enabling unauthorized withdrawals across all supported chains simultaneously. Arkham Intelligence labeled multiple wallets as "THORChain Exploiter" addresses. The primary Ethereum wallet (0xd477b69551f49c0519f9b18c55030676138890bd on Ethereum), tagged as "THORChain Exploiter 4," held a balance of 3,206.47 ETH (~$6.8M). This address received large transfers from "THORChain Exploiter 3" on May 15, including 1,866 ETH at 07:24 UTC and 1,086 ETH at 09:06 UTC. Across all chains, the attacker's wallets held approximately 3,443 ETH, 36.85 BTC (~$3M), and 96.6 BNB. Stolen tokens included WBTC, USDT, USDC, DAI, AAVE, and LINK, representing roughly 20% of active vault holdings from one of six Asgard vaults. THORChain confirmed that no user funds or liquidity provider positions were directly lost — only protocol-controlled funds were compromised. The rogue node's bond is expected to be slashed as part of the recovery. Version 3.18.1, a critical patch addressing the TSS vulnerability, was prepared for node operators by May 19, with a broader v3.19 release planned to implement whichever recovery mechanism governance approves. The team launched a compensation portal enabling affected users across over 12,000 wallets to verify eligibility and submit claims. Users should verify that they are not interacting with any compromised addresses and should monitor THORChain's official channels for updates on the governance vote. Those with funds in THORChain vaults should review the compensation portal once full trading resumes. The incident underscores the risks inherent in threshold signature schemes and the importance of validator monitoring — a single rogue node was sufficient to compromise vault security across nine chains. The THORChain exploit adds to a growing list of cross-chain infrastructure attacks in 2026, joining the KelpDAO LayerZero bridge hack ($292M) and the Verus-Ethereum bridge exploit ($11.5M) in highlighting systemic vulnerabilities in multi-chain DeFi protocols. THORChain had previously processed stolen funds from the 2025 Bybit breach, raising broader questions about the protocol's role in the DeFi ecosystem.