THORChain, the decentralized cross-chain liquidity protocol, has resumed trading operations after a roughly five-week pause triggered by a $10.7 million exploit on May 15, 2026. The breach, which targeted one of the protocol’s six Asgard vaults, marks THORChain’s third significant security incident in its operational history.
RUNE, THORChain’s native token, dropped 12-15% immediately following the exploit announcement in May. The recovery plan notably avoided minting additional RUNE tokens, opting instead to absorb losses through protocol-owned liquidity, a detail that likely prevented further downward pressure on the token’s price during the suspension.
How the exploit worked
The protocol uses something called GG20 Threshold Signature Scheme (TSS), a cryptographic method that splits a private key among multiple node operators so no single party can move funds alone.
The attacker was a node operator who had joined the THORChain network just two days before the exploit. During signing ceremonies, the processes where node operators collectively authorize transactions, the malicious operator leaked key material. This allowed them to reconstruct the full private key for one Asgard vault and execute unauthorized transactions across multiple blockchains.












