Skip to main content
Home » Cryptocurrency » News » THORChain Is Back Online After Its $10.7 Million Exploit

THORChain Is Back Online After Its $10.7 Million Exploit

6 min read
THORChain Is Back Online After Its $10.7 Million Exploit

Stay connected with KayaToday—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.


More than a month of security work, a complete vault migration, and multiple protocol upgrades. The network is live again — and it’s already planning new integrations.

THORChain resumed full network operations on Tuesday, ending a 39-day trading halt that began after a $10.7 million exploit on May 15 exposed a critical vulnerability in the protocol’s key management architecture. Trading, signing, swaps, and liquidity provider actions are all restored.

The recovery wasn’t a quick patch job. Over five weeks, the team implemented emergency fixes, shipped two separate upgrade packages, verified every node’s keyshare individually, and completed a full migration from legacy vaults to a new vault set — a process the protocol described as the most significant milestone in its recovery.

For a protocol that sits at the center of cross-chain crypto trading, enabling swaps between networks including Bitcoin and Ethereum, the extended downtime carried real consequences. The return to operation comes with a substantially rebuilt security foundation, and with a roadmap that suggests THORChain is moving forward rather than simply returning to where it was before.

What the Exploit Actually Did

Understanding what went wrong requires a brief look at how THORChain secures its vaults.

The protocol uses a GG20 threshold signature scheme to control the wallets that hold user funds. Rather than a single private key sitting with one party — a single point of failure — GG20 distributes key control across multiple node operators. Any significant transaction requires a threshold of nodes to cooperate in signing, which is supposed to prevent any individual operator from unilaterally accessing funds.

The vulnerability that the May 15 attacker exploited was a flaw in this scheme that allowed a malicious node operator to engage in what THORChain described as “progressive key material leakage.” Through repeated interactions with the signing process, the attacker was able to gradually reconstruct a full private key — defeating the distributed security model without needing to compromise multiple operators simultaneously.

Once a full private key was reconstructed, the vault it controlled was effectively owned by the attacker. The $10.7 million theft followed.

The flaw is sophisticated. It didn’t require breaking cryptography or exploiting a simple code error. It exploited a property of the signing protocol itself under conditions that weren’t adequately guarded against — the kind of vulnerability that can survive multiple audits and only surface when someone with specific knowledge of the scheme’s mathematical properties goes looking for it.

The Recovery Timeline

The response unfolded in stages over five weeks, each addressing a different layer of the problem.

An emergency patch deployed on May 20 — five days after the exploit — protected the remaining vaults while the team worked on a more comprehensive fix. This bought time without fully resolving the underlying vulnerability.

On June 9, THORChain released a substantive upgrade that included a direct fix for the exploited GG20 vulnerability. Two days later, a follow-up upgrade added stability improvements and fixes to the KeyVerify protocol — the mechanism used to verify that nodes hold the correct keyshares.

That KeyVerify work became the centerpiece of the final recovery phase. Over the following week, the team completed verification of every node’s keyshare individually — a process that confirmed each participating node held what it was supposed to hold and nothing more. On Sunday, the protocol announced it had confirmed the safety of most vaults through KeyVerify and retired the remaining legacy vaults as part of a migration to an entirely new vault set.

The vault migration is the most structurally significant part of the recovery. Moving to new vaults means the old infrastructure — including any residual exposure from the GG20 vulnerability — is no longer in active use. The network is operating on a clean foundation rather than a patched version of the compromised one.

The Dual Reputation Problem

THORChain Is Back Online After Its $10.7 Million Exploit

THORChain occupies an unusual position in the crypto security conversation. It is simultaneously a legitimate and widely used cross-chain trading infrastructure and a protocol that has attracted significant criticism from blockchain investigators because it has repeatedly been used to launder stolen funds.

The irony in the current situation is hard to miss. THORChain was exploited for $10.7 million in May. Earlier this month, the hacker responsible for the $293 million KelpDAO exploit was found to have laundered nearly all of the 75,700 stolen ETH through THORChain’s cross-chain swap functionality. The protocol was both victim and unwilling infrastructure in the same quarter.

This dual role reflects a genuine tension in how cross-chain protocols function. THORChain’s permissionless design — the feature that makes it useful for legitimate users who want to swap assets across chains without KYC requirements or centralized custody — is the same feature that makes it attractive to actors moving stolen funds. The protocol cannot easily distinguish between a legitimate swap and a laundering operation without implementing controls that would undermine its core value proposition.

The protocol has faced calls from some in the security community to implement more aggressive screening or blocking of known hacker wallets. Others argue that permissionless infrastructure is structurally neutral and that responsibility for preventing laundering lies with other points in the ecosystem. That debate has not been resolved and is unlikely to be resolved by the security upgrades implemented during the recovery period.

What Comes Next

With the network back online, THORChain has outlined its near-term integration roadmap. Within the next two weeks, the protocol plans to launch native swaps and vaults for Zcash, the privacy-preserving cryptocurrency. Monero support is also planned to follow. In approximately six weeks, THORChain will add support for Bittensor’s TAO token.

The privacy coin integrations are notable given THORChain’s existing scrutiny from blockchain investigators. Zcash and Monero both offer transaction privacy features that make on-chain tracing significantly more difficult than with transparent chains like Bitcoin or Ethereum. Adding native support for these assets will likely intensify existing criticism about THORChain’s role in enabling fund movements that are difficult to track.

From a purely technical standpoint, the integrations represent the protocol executing on its core mission: becoming the most comprehensive cross-chain trading layer in the ecosystem. From a regulatory and reputational standpoint, launching privacy coin support in the immediate aftermath of a major exploit and while questions about the protocol’s use in laundering operations are still active is a choice that will attract attention.

The network is live. The security work done over the past five weeks is real and represents a meaningful improvement over the architecture that was exploited. Whether the combination of a strengthened security foundation and expanded privacy coin support makes THORChain more or less controversial in the months ahead is a question the market will answer.

Read Also: Q2 2026 Is Already the Most-Hacked Quarter in Crypto

Aryad Satriawan is an Investment Storyteller with a professional career in the crypto (web3) and stock market industry. Aryad has been actively trading and writing analysis/research on crypto, stock and forex markets since 2016, currently an educator at one of the largest stock broker in Indonesia.
440 articles
More from Aryad Satriawan →
We follow strict editorial standards to ensure accuracy and transparency.