-
Thorchain lost roughly 10 to 11 million US dollars across Bitcoin, Ethereum, BSC, and Base on May 15.
-
ZachXBT flagged the exploit publicly as RUNE dropped 12 to 15% within hours, falling to about $0.50.
-
Node operators triggered a global emergency halt; a full post-mortem from Thorchain is still pending.
Attackers poisoned a routine vault migration process on the Thorchain, tricking the system into approving token transfers. As a result of this exploit, they walked away with millions across four different blockchains. For now, Thorchain hasn’t given any official update regarding this incident.
A Calculated Attack on a Routine Process
Onchain sleuth ZachXBT spotted this incident first and shared the news in his Telegram channel. Initially, experts estimated losses of around $7.4 million. Later, they discovered the total was even higher.
So how did this happen? The attackers targeted a vault churn. That is a standard Thorchain process. Node operators rotate in and out during a churn. The system redistributes assets using threshold signature schemes.
The attackers injected malicious addresses into that process. They tricked the system into approving transfers. Those transfers should never have gone through.
The breach hit vaults on four chains. It affected the Bitcoin blockchain. BNB Smart Chain also took a hit. Ethereum and Base also got their share of the attack. Attackers made away with roughly 3,443 ETH. That is worth about $7.77 million. They also grabbed 36.85 BTC, which is approximately $2.97 million. Plus 96.6 BNB worth around $66,000. Early reports also mentioned 798,000 USDC.
Security firms flagged three theft addresses. Those addresses sit across Bitcoin and Ethereum. Teams like Peckshield and Cyvers are now monitoring them closely.
Node Operators Hit the Emergency Brake
The response came fast. Node operators triggered Thorchain’s global emergency halt. They used the protocol’s Mimir governance settings to do it. The halt suspended swaps immediately. It also stopped vault churning. And it blocked signing on all affected chains. That all began around block 26190429. RUNE transactions on the native chain continued. But only in a limited capacity.
The market reacted just as quickly. RUNE dropped 12 to 15 percent within hours of ZachXBT’s alert. The token fell from around $0.58 to roughly $0.5 across major exchanges. Liquidity providers and users are now stuck waiting.
As of this writing, the @Thorchain account on X has not posted publicly about the exploit. No official post-mortem exists yet. The funds at the identified addresses appear largely dormant.
Why this Case Matters for DeFi
This attack hits a familiar weak point. Thorchain has faced protocol-level attacks before. In July 2021, multiple exploits targeted the ETH router. Those drained between $4.9 million and $8 million. The team covered losses from the treasury. They also paused the protocol for fixes. This current exploit follows a different threat profile. But it hits the same vulnerable spot: the vault migration process.
Attackers are increasingly targeting routine, trusted processes. A separate campaign planted backdoors in over 30 WordPress plugins by compromising the update mechanism, a similar exploitation of developer trust.
The most concerning part? Thorchain built its architecture to avoid centralized failure points. The protocol runs more than 90 decentralized nodes. It holds no single admin key. And it avoids using wrapped assets entirely. That design has held up against certain attack types. But the churn process is now an exploitable surface.
The timing also raises eyebrows. Thorchain drew major attention over the past year. It became a passage for funds connected to the Bybit hack. That attack, attributed to the Lazarus Group, saw losses of nearly $1.4 billion. Thorchain also handled flows from the Kelp DAO incident. That involved more than $175 million in Ethereum to Bitcoin (ETH-to-BTC) swaps.
Those flows generated fees for the protocol. But they also drew sharp criticism. Compliance and security researchers warned about the risks. Now the protocol itself has been hit. This changes the conversation entirely.
What Happens Next
This remains a developing story. Investigations are still active. Security firms continue tracking the flagged addresses. Liquidity providers should avoid interacting with the protocol. Do not engage until trading resumes and full details come out.
Thorchain’s node operators will release a detailed post-mortem. That should happen once the situation stabilizes. You can find updates on Thorchain’s documentation pages. Also, check the @Thorchain X account. And the Midgard API will carry new information as it becomes available.
For now, the DeFi world is watching closely. A protocol built to avoid central risks just got hit at its core. This is a wake-up call for everyone to be careful and take security seriously because no system is immune to attack, even the strongest ones get hit too.
