V12 Says THORChain Silently Patched Its Critical Bug, Then Told Researchers the Bounty Is 'Permanently Retired' - "The Defiant"

You've reached your guest reading limit.

By continuing, you agree to our Terms and Privacy Policy.

A security startup said it intends to publicly release exploit code for unpatched THORChain vulnerabilities in the coming days, after the cross-chain protocol patched an earlier critical bug the firm had disclosed without crediting or paying it.

V12, a startup that builds an automated code-auditing tool and has recently published Linux kernel exploits, said in a post on X that it reported a "critical loss of funds" bug to THORChain, that the protocol "silently patched it," and that a THORChain representative told the firm its bug bounty program is permanently retired. V12 said it is holding additional THORChain "chain halt" denial-of-service vulnerabilities that it plans to disclose openly, and it published a repository of proof-of-concept code.

The disclosure lands roughly three weeks after THORChain, a cross-chain liquidity protocol with about $30 million in total value locked, lost an estimated $10.7 million from one of its six Asgard vaults on May 15. Security researchers including Blockaid and onchain investigator ZachXBT attributed that exploit to a proposer-forgery bug in THORChain's Bifrost attestation system — the same class of flaw a THORChain code commit dated May 6 was written to fix.