THORChain Reopens 39 Days After $10.7M Vault Exploit

THORChain Reopens Every Trading Function

THORChain enables users to swap native assets such as bitcoin, ether and stablecoins without sending funds through a centralized exchange or receiving wrapped versions of those assets. That design depends on network-controlled vaults that hold real coins across multiple blockchains.

The June 23 restart restored the functions required to move those assets. Signing authorizes outbound transactions, churning rotates validators and vaults, liquidity actions let providers add or remove capital, and trading connects those pieces into executable swaps.

THORChain did not reopen everything at once. Validators first adopted v3.19, validated the ADR-028 economic migration and ran a temporary keyverify process to confirm that node key shares were intact. The network then resumed signing and completed a churn that moved funds into new vaults before reopening liquidity actions and trading.

A June restart briefing said v3.19.1 added verification stability work and another security patch before the final churn. The sequence treated trading as the last service to return because it creates continuous demand for vault signatures across supported chains.

The operational return is visible in THORChain markets tracked by CoinGecko, including active BTC/RUNE and ETH/RUNE pairs. The protocol’s main website still displayed a temporary-pause warning when reviewed Tuesday, however, making the official X announcement and live market activity the clearer current indicators.

How the THORChain Vault Exploit Worked

The shutdown began May 15 after an attacker compromised one Asgard vault. THORChain’s official exploit report said a newly churned node operator joined two days earlier and exploited a vulnerability in the network’s GG20 threshold-signature implementation.

Threshold signatures are designed to split control of a vault key among many nodes so no single operator possesses the full private key. THORChain said the attacker defeated that protection, reconstructed enough sensitive material to authorize unauthorized transactions and drained one of five vaults.

Automatic solvency checks detected abnormal balances within minutes and stopped signing on several chains. Node operators then used manual pauses and governance votes to halt trading, signing, chain observation and churning across the network within about two hours of the public alert.

The remaining four vaults were not affected, according to the report. THORChain also said the Solana pool was safe because its signature system was not vulnerable to the same attack class and that initial findings showed no direct loss of individual user funds.

The incident added to a severe month for protocol security. Daily Crypto Briefs tracked more than $605 million lost across crypto platforms, with key management, bridges and cross-chain messaging repeatedly appearing as high-value failure points.

THORChain patched the immediate weakness through v3.18.1, then bundled broader TSS security changes into v3.19. The recovery process also added compromised-vault quarantine controls and required fresh checks of distributed key shares before vault signing could resume.

RUNE Holders Face the Recovery Test

The approved ADR-028 recovery plan directs protocol-owned liquidity to absorb the loss first. Any uncovered shortfall can then be distributed proportionally across holders of THORChain synthetic assets, while future network income rebuilds the protocol’s liquidity reserves.

The plan states that no new RUNE will be minted or sold, avoiding direct token dilution. The malicious node was also subject to slashing, while innocent nodes that shared the compromised vault were protected under the approved framework.

That approach shifts the market test from token supply to liquidity quality. Using protocol-owned capital preserves RUNE’s issuance structure, but a thinner reserve base can make fee generation, pool depth and future loss absorption more important after trading resumes.

RUNE’s price has recovered from its early June low near $0.32 but remains below the roughly $0.45 level recorded one month ago. The increase in daily volume after the restart suggests traders are returning, although one session does not establish that liquidity has normalized.

Broader sentiment also remains defensive. The Crypto Fear and Greed Index stood at 23, or Extreme Fear, on June 23.

THORChain said native Monero swaps were already working in end-to-end testing, with Zcash expected to follow. Those additions could expand demand for privacy-focused cross-chain liquidity, but they also increase the number of chain clients and operational paths the restored network must support.

The next evidence will come from sustained swap volume, validator stability, vault solvency and the completion of THORChain’s deeper security review. A full technical follow-up on the GG20 failure was not yet published when this article was completed, and the amount ultimately recovered from the attacker remained unclear.