THORChain Resumes Trading After $10.7M Exploit Recovery
THORChain restored network activity, including swaps and liquidity, after a month-long halt due to a $10.7 million exploit. The protocol completed security verifications, retired legacy vaults, and patched a vulnerability in its GG20 signature scheme, with future plans to integrate privacy coins Zcash and Monero.
Quick Take
THORChain resumes trading after $10.7M exploit, implementing key security upgrades.
Exploit caused by GG20 signature vulnerability allowing private key reconstruction.
Upcoming support for Zcash, Monero, and Bittensor tokens in coming weeks.
Market Impact Analysis
BullishThe resumption of trading and completion of security upgrades restores protocol functionality and user confidence, potentially increasing usage and demand for RUNE.
Speculation Analysis
Key Takeaways
- THORChain restored all trading, swaps, and liquidity actions after a month-long shutdown triggered by a $10.7 million exploit.
- The root cause was a GG20 threshold signature vulnerability that let a malicious node operator reconstruct a full private key.
- Legacy vaults have been retired, node keys verified, and multiple security patches deployed to prevent recurrence.
- Planned integrations with privacy coins Zcash and Monero, plus Bittensor, signal aggressive post-recovery growth.
What Happened
THORChain reactivated its cross-chain protocol after validating node security and retiring vulnerable vaults. Trading, swaps, and liquidity provisioning resumed Tuesday, ending a pause that began May 15 when a $10.7 million exploit forced an immediate halt. The protocol deployed an emergency patch on May 20, followed by upgrades on June 9 and 11 that fixed the flawed GG20 signature scheme and stabilized the KeyVerify protocol. All remaining legacy vaults were migrated to a new, verified set, a move THORChain called the most significant recovery milestone.
The Numbers
The attacker drained $10.7 million by exploiting a progressive leak of key material from the GG20 threshold scheme. The trading suspension lasted more than four weeks, with the network fully offline for critical functions. Over 100 nodes were verified through KeyVerify, and the protocol burned all old vault shares. THORChain expects to launch Zcash native swaps within two weeks, Monero shortly after, and Bittensor support in roughly six weeks.
Why It Happened
The GG20 threshold signature scheme, designed to distribute private-key control across many node operators, contained a subtle flaw. A single malicious node operator was able to reconstruct an entire private key by gathering small pieces of key material leaked over multiple signing rounds—what THORChain called “progressive key material leakage.” Once the key was assembled, the attacker swept $10.7 million from the protocol’s vaults. The vulnerability had gone undetected despite prior audits, highlighting the complexity of multi-party computation security.
Broader Impact
The exploit underscores the risks in threshold-signature-based cross-chain solutions, but THORChain’s transparent recovery—complete vault retirement, node-level verification, and rapid patching—sets a template for other protocols. The restored functionality may rebuild user trust and attract liquidity back to RUNE pools. Meanwhile, upcoming privacy-coin support could differentiate THORChain in a market where direct on-chain swaps for Zcash and Monero are scarce.
What to Watch Next
- Zcash integration (targeted within two weeks) will test the new vault infrastructure under live load.
- Liquidity depth on THORChain’s pools—monitor total value locked and RUNE buy pressure as trading normalizes.
- Any additional security audits or bounty programs announced as the protocol vets new chain integrations.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
