THORChain Asgard Vault Exploit Drains $10.8M Across Nine Chains

On May 15, 2026, THORChain suffered a major security breach when an attacker compromised one of the protocol's six Asgard vaults, draining approximately $10.8 million in assets across at least nine supported blockchains. The affected chains included Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. RUNE, THORChain's native token, dropped 12-15% immediately following the incident as the protocol halted all trading operations for approximately 13 hours. The leading theory for the attack vector centers on a vulnerability in THORChain's GG20 Threshold Signature Scheme (TSS) implementation. TSS allows a group of validator nodes to co-sign vault transactions without any single node holding the full private key. According to THORChain's post-mortem report, a newly churned node (thor16...n84q) that entered the network several days before the attack is believed to have gradually leaked vault key material. By accumulating enough leaked cryptographic information over time, the attacker reconstructed the Asgard vault's private key and executed unauthorized outbound transactions simultaneously across all nine chains. On-chain investigator ZachXBT first flagged the exploit, initially estimating losses at $7.4 million before updating the figure after a fuller audit. TRM Labs confirmed the following attacker addresses receiving stolen funds: Bitcoin address bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 (36.85 BTC, ~$2.97M), EVM addresses 0x82fc0d5150f3548027e971ec04c065f3c93154eb and 0xd477b69551f49c0519f9b18c55030676138890bd (3,443 ETH combined, ~$7.77M), plus additional addresses on Bitcoin Cash (qpp775v2je9texcv54rhd6kl9pfudy2nyyz4df2uvc), Dogecoin (DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS), Litecoin (ltc1qg0h4rz5kf27fkr99gamw4heg20rfz5epd7m7wh), and XRP (rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz). THORChain's Mimir governance module immediately flipped trading halt and signing halt parameters to active at block 26190429, pausing all protocol operations. The team stated that user deposits appeared safe, with losses limited to protocol-owned vault funds. Following the 13-hour emergency halt, operations resumed after a security patch was deployed. As of this writing, TRM Labs has not attributed the exploit to any specific known threat actor. This incident underscores the systemic risks inherent in multi-party computation (MPC) wallet architectures used by cross-chain protocols. Users interacting with THORChain or similar cross-chain DEXs should monitor official communications during security incidents, avoid panic-selling during trading halts, and be wary of scam refund offers — THORChain warned of fake refund scams circulating after the exploit. Verifying addresses through official protocol channels remains critical during recovery periods.