THORChain Confirms $10M Exploit, Launches Recovery Portal
THORChain suffered a $10M exploit via a TSS vulnerability, draining 36.75 BTC and $7M in tokens from 12,847 wallets. A recovery portal lets affected users revoke approvals and claim refunds from a treasury-backed pool within 21 days.
Quick Take
THORChain's GG20 TSS vulnerability allowed private key reconstruction.
Attack drained 36.75 BTC ($3M) and $7M tokens across BNB, Ethereum, Base.
Recovery portal offers self-custodial refund claims, deadline June 4.
Forensic data collection and law enforcement coordination underway.
Market Impact Analysis
BearishLarge exploit causes trust erosion, though recovery portal and treasury provision may partially offset negative sentiment.
Speculation Analysis
Key Takeaways
- THORChain's GG20 TSS vulnerability leaked key material, enabling private key reconstruction and a $10M exploit.
- Attackers drained 36.75 BTC ($3M) and $7M in tokens across BNB Chain, Ethereum and Base, hitting 12,847 wallets.
- A self-custodial recovery portal is open for affected users to revoke approvals and claim refunds until June 4.
- Forensic data collection and law enforcement coordination are active to identify the attacker and recover funds.
What Happened
THORChain suffered a $10M exploit on May 11 after a vulnerability in its GG20 threshold signature scheme (TSS) implementation. Node operators detected anomalous outbound transactions at 02:14 UTC and paused trading and outbound signing within eight minutes. The protocol immediately launched a recovery portal, allowing affected users to check compensation and submit claims. The Treasury provisioned a refund pool equal to the stolen amount, giving users a 21-day window to revoke malicious approvals and reclaim funds. Unclaimed allocations will roll over to the insurance fund after the June 4 deadline.
The Numbers
Attackers made off with 36.75 BTCâroughly $3M at current pricesâand an additional $7M in tokens across BNB Chain, Ethereum and Base. In total, 12,847 wallets were affected across four chains. The exploit represents one of the largest TSS-related breaches this year, though the treasury-backed refund pool of equal size mitigates direct user losses. Over $10M in combined assets were drained, but the fast eight-minute response likely prevented further outflows.
Why It Happened
The leading theory points to a flaw in THORChainâs GG20 TSS implementation that allowed sensitive key material to leak gradually over time. By accumulating enough shards, the attacker reconstructed the vaultâs private key. A newly churned node that entered the network days before the attack is suspected of facilitating the leak; onchain links connect its bonding addresses to wallets that received stolen funds. This highlights inherent risks in TSS-based custody when node participation is not rigorously screened.
Broader Impact
The exploit erodes trust in cross-chain DEXs reliant on TSS for asset custody. THORChainâs RUNE token faces selling pressure amid security concerns, though the treasuryâs full refund provision may cushion sentiment. The incident underscores the need for continuous key-material monitoring and node vetting. With DeFi hacks already topping $630M in April, the attack reinforces the sectorâs vulnerability to sophisticated cryptographic exploits.
What to Watch Next
- Forensic progress and any law enforcement identification of the attackerâsuccess could set a precedent for crypto recovery.
- Refund claim volumes: high uptake may strain the treasury, while low uptake could signal lasting trust damage.
- RUNE price action and trading volumes as markets price in the protocolâs security posture and insurance fund robustness.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
