THORChain resumed trading and network operations on June 23, more than five weeks after a $10.7 million exploit forced its halt on May 15. The restart follows security upgrades, vault migrations, and verification procedures aimed at preventing a repeat of the breach that targeted one of its Asgard vaults. The May 15 attack exposed weaknesses in the protocol's GG20 Threshold Signature Scheme (TSS) and drained funds across nine blockchains. The disruption marked one of the longest in the project's history.
THORChain Restores Infrastructure Following Security Upgrades
THORChain confirmed on June 23 that trading, swaps, liquidity provider actions, and signing functions had been restored after contributors completed security reviews and network upgrades. According to the protocol's statement, "Signing, churning, secured and trade assets, LP actions, and swaps are all up and running."
The May 15 exploit drained approximately $10.7 million from a single vault. Investigators determined that the attacker was a node operator who had joined the network just two days before the exploit and abused the platform's vulnerabilities. The breach affected assets across at least nine blockchains, including Bitcoin, Ethereum, BNB Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP.
THORChain's automatic solvency mechanisms detected unusual activity and halted signing operations before further damage could occur. The incident was THORChain's third major exploit since 2021. According to TRM Labs, cumulative losses associated with attacks involving the protocol have approached $25 million.
Protocol Avoids Token Dilution in Recovery Strategy
Unlike many DeFi recovery efforts, THORChain opted against issuing new RUNE tokens to absorb losses. Instead, it relied on protocol-owned liquidity. The approach helped shield token holders from dilution while allowing the network to rebuild confidence ahead of its reopening.
The exploit initially sent RUNE down between 12% and 15%, erasing tens of millions of dollars in market value. The recovery plan's decision to avoid minting additional tokens helped limit further pressure on the asset.
Governance discussions are now focused on replacing the GG20 threshold signature system with alternative security architectures. The incident has also reignited debate over node operator security and whether decentralized networks can adequately defend against insider threats.
THORChain suspended its ThorFi lending business in 2025 amid insolvency concerns. Regulators and compliance firms have repeatedly highlighted the protocol's role in facilitating cross-chain transfers associated with major crypto hacks.
FAQ
What did THORChain do on June 23?
THORChain resumed trading and network operations on June 23 after more than five weeks offline following a $10.7 million exploit on May 15.
Why did the May 15 exploit occur?
The May 15 exploit targeted one of THORChain's Asgard vaults and exposed weaknesses in the protocol's GG20 Threshold Signature Scheme (TSS). The attacker was a node operator who had joined the network just two days before the breach.
How did THORChain recover from the $10.7 million exploit?
THORChain relied on protocol-owned liquidity to absorb losses instead of issuing new RUNE tokens. The approach helped shield token holders from dilution while the network completed security upgrades and vault migrations.
