Crypto News

THORChain exploit drains $10.8 million across four blockchains

By Telemac

Share

THORChain exploit drains $10.8 million across four blockchains

THORChain, the decentralized cross-chain liquidity protocol, was hit by a major exploit on Friday, May 15, 2026. An attacker successively drained approximately $10.8 million in cryptocurrencies across four different blockchains: Bitcoin, Ethereum, BSC (Binance Smart Chain), and Base. In response, the protocol immediately suspended all trading and signing operations, causing a complète network halt for nearly 13 hours. This attack, one of the most significant of the year in the DeFi ecosystem, reignites the debate on the security of cross-chain infrastructures and on the inherent risks of distributed liquidity protocols. Industry experts are questioning whether the decentralized architecture so praised by THORChain is truly more secure than traditional centralized solutions.

THORChain exploit

Context

THORChain operates as a decentralized cross-chain liquidity network, enabling users to exchange native assets between different blockchains without resorting to a wrapper or centralized bridge. The protocol uses a system of independent nodes to validate cross-chain transactions, which distinguishes it from traditional bridge bridges. This architecture had contributed to its popularity in the DeFi ecosystem, with a daily volume of $394 million recorded at the time of the attack. The protocol had been presented as a safer solution than centralized exchanges because it does not require custody of user funds.

This exploit comes in a context already marked by a series of security incidents in the DeFi sector. In April 2026 alone, the Drift Protocol and the KelpDAO project had already been victims of major flaws, together causing more than $600 million in losses. Cross-chain bridges and liquidity protocols remain the most targeted category by attacks in the DeFi space, with more than $2.8 billion in cumulative bridge-related theft since 2021 according to Chainalysis. This dark history has not stopped the proliferation of interoperability protocols, which continue to multiply despite the evident risks.

The THORChain protocol had experienced a period of high activity just before the exploit. According to available data, the network had processed $394 million in daily volume at the precise moment when hackers would have used THORChain to move funds stolen during the KelpDAO breach, between Ethereum and the Bitcoin network. This temporal correlation fueled speculation about a possible link between the two incidents, although THORChain has not confirmed this hypothesis. Analysts note that pirates often exploit DeFi protocols to launder proceeds from other attacks, which complicates traceability.

The cross-chain ecosystem as a whole is facing a crisis of confidence. Users and investors are beginning to question the real security of protocols that promise frictionless interoperability. Security audits, long considered a guarantee of reliability, are proving insufficient given the complexity of distributed architectures. THORChain nodes, which are supposed to validate transactions, failed to detect or stop the attack before it was complète.

The Facts

The exploit was identified on May 15, 2026 by blockchain researcher ZachXBT, who immediately alerted the community on Telegram. According to Arkham Intelligence data, the attacker’s wallets currently hold 3,443 ETH (approximately $7.77 million), 36.85 BTC (approximately $2.97 million), and 96.6 BNB (approximately $66,000). The total amount of the exploit is estimated at $10.8 million, distributed across the four impacted blockchains. The funds were transferred to wallets controlled by the attacker, who has not yet been identified.

Upon receiving the alert, THORChain’s Mimir governance module activated the trading halt and signing halt parameters. The node pause was extended until block 26,191,149, or approximately 12 hours and 42 minutes of complète halt. This decentralized governance décision made it possible to limit additional damage by preventing any further movement of funds on the network. However, the décision-making process based on Mimir raised the question of the time required to trigger such a pause in an emergency situation.

The native RUNE token recorded a 12 to 15% drop within minutes, falling from $0.58 to approximately $0.50 according to CoinGecko data. The market capitalization of the protocol, which was valued at approximately $204.88 million before the drop, was significantly impacted. Several exchanges issued alerts to their users, recommending not to interact with addresses linked to the attacker. Some platforms even decided to temporarily suspend RUNE token deposits as a precaution.

The protocol has not yet published a post-mortem explaining the precise attack vector. The community nevertheless speculates that the exploit could be linked to the transfer of funds stolen during the KelpDAO breach. In September 2025, THORSwap had already issued a bounty after a hacker drained $1.2 million from the personal wallet of founder John-Paul Thorbjornsen, an attack attributed by ZachXBT to North Korean hackers. The link between different security incidents would suggest an organized threat specifically targeting the THORChain ecosystem and its satellites.

Analysis

This attack highlights the persistent vulnerabilities of cross-chain infrastructures. Unlike marketing statements that present these protocols as more secure than centralized bridges, THORChain’s distributed architecture did not prevent the exploit. The fact that four different blockchains were impacted simultaneously suggests a flaw in the protocol’s cross-chain validation system. Security experts note that simultaneous attacks on multiple chains are particularly difficult to stop because they exploit confirmation delays between networks.

The difficulty of detecting these attacks in real time is also evident. Despite the presence of active blockchain researchers like ZachXBT, the attacker was able to transfer funds across multiple chains before the protocol reacted. The 12-hour halt raises questions about the responsiveness of node operators. The Mimir governance system, supposed to enable rapid interventions, did not completely prevent the loss of funds. Decentralization, while providing censorship resistance, does not seem to guarantee better responsiveness in the face of attacks.

The implications for the cross-chain ecosystem are significant. Distributed liquidity protocols like THORChain play a crucial role in the interoperability of the cryptocurrency market. A security flaw of this magnitude could call into question user and developer confidence in this type of infrastructure. THORChain’s direct competitors, including atomic bridges and centralized cross-chain exchange solutions, could benefit from this failure. However, these alternatives are not themselves exempt from risks.

The question of responsibility in cross-chain attacks remains largely unresolved. Unlike centralized platforms, decentralized protocols generally have no identifiable legal entity as responsible in case of a flaw. Users who have lost funds rarely have effective recourse, creating a fundamental imbalance in the risk-reward equation for liquidity providers. This asymmetry is often ignored by DeFi protocol marketing, which highlights returns without mentioning the risks of total loss.

The history of DeFi protocols shows a repetition of the same mistakes. Security audits are conducted after development, whereas security should be designed from the start. Security updates are often deployed in haste, without the necessary time for thorough testing. The economic incentives of protocols are not always aligned with optimal system security, creating structural flaws that are difficult to correct.

Market Reactions

The market reacted negatively to the announcement of the exploit. The RUNE token recorded a 12% drop in the hours following the alert, with a 24-hour volume of $32.46 million. This sudden volatility also impacted tokens from protocols linked to the THORChain ecosystem, including THORSwap and the liquidity aggregators that depend on the protocol. Traders began closing their positions for fear of an extended liquidity drain.

Exchanges responded in varied ways to the incident. Binance published an informative note to its users, recommending vigilance when transactions involving assets from suspicious addresses. Other exchanges preferred to temporarily suspend RUNE token deposits and withdrawals until the situation was clarified. This caution contrasts with the protocol’s regular assurances about its security.

Liquidity providers and routers connected to THORChain were put on pause as a precaution. This décision, while responsible from a security perspective, created disruptions for users who had immobilized funds in liquidity pools. The wait for an official incident report leaves the community in uncertainty about what comes next. Users are currently earning zero returns on their deposits while waiting for operations to resume.

Market observers note a correlation between this attack and the general decline in DeFi metrics. Users retreated their funds from cross-chain protocols to more conservative solutions, such as centralized platforms or protocols with a longer security history. This trend could accelerate the concentration of liquidity around a few major market players.

Outlook

Until the publication of an official security assessment by THORChain, several questions remain unanswered. The protocol has promised a complète incident report, but communication delays have become a point of tension within the community. This opacity could affect user and investor confidence in the medium term. The repeated silences from THORChain teams on previous incidents suggest a corporate culture oriented toward minimal communication.

Short-term scenarios depend largely on the content of the post-mortem. If the attack vector is identified and corrected in a credible manner, the protocol could become operational again quickly. THORChain’s development teams have historically managed past incidents well, suggesting adequate response capacity. On the other hand, if the vulnerability proves to be structural and requires a redesign of the architecture, recovery timelines could lengthen significantly. An architectural redesign generally takes several months and requires a new round of security audits.

For investors and liquidity providers connected to THORChain or dependent protocols, it is recommended to monitor official communications and consider reducing exposure until the situation is clarified. The historical experience of other attacked DeFi protocols shows that recovery attempts can be long and uncertain. Transparency in communication and the speed of technical response will be key indicators of the protocol’s ability to recover from this incident.

The cross-chain sector as a whole must reflect on its security practices. Protocols must invest more in attack prevention, not just incident response. Security audits must become an ongoing practice, not a one-time event. Open-source communities must collaborate better to identify and correct vulnerabilities before they are exploited. The survival of the DeFi ecosystem depends on its ability to offer real security guarantees to its users.

Sources

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles