THORChain, the decentralized cross-chain liquidity protocol, has resumed trading operations after a roughly five-week pause triggered by a $10.7 million exploit on May 15, 2026. The breach, which targeted one of the protocol’s six Asgard vaults, marks THORChain’s third significant security incident in its operational history.

RUNE, THORChain’s native token, dropped 12-15% immediately following the exploit announcement in May. The recovery plan notably avoided minting additional RUNE tokens, opting instead to absorb losses through protocol-owned liquidity, a detail that likely prevented further downward pressure on the token’s price during the suspension.

How the exploit worked

The protocol uses something called GG20 Threshold Signature Scheme (TSS), a cryptographic method that splits a private key among multiple node operators so no single party can move funds alone.

The attacker was a node operator who had joined the THORChain network just two days before the exploit. During signing ceremonies, the processes where node operators collectively authorize transactions, the malicious operator leaked key material. This allowed them to reconstruct the full private key for one Asgard vault and execute unauthorized transactions across multiple blockchains.

THORChain’s automated solvency detection systems flagged the breach within minutes. The protocol uses a solvency checker with a 1% imbalance threshold, meaning the moment vault balances deviated by more than 1% from expected levels, automated halts kicked in for trading, signing, and churning processes.

Node operators then coordinated via Discord and used on-chain Mimir governance votes to formalize the shutdown and begin implementing a recovery plan.

The recovery playbook

Rather than inflating RUNE’s supply to cover the $10.7 million loss, the protocol absorbed the hit through its protocol-owned liquidity reserves.

On the technical side, the team deployed two security patches, versions v3.18.1 and v3.19.1, during the downtime. A vault migration was also executed, moving funds to freshly secured vaults as part of the broader recovery strategy. And in a somewhat unexpected development, the protocol advanced its integration with native Monero (XMR) during the pause.

The community is now actively debating whether to move away from the GG20 threshold signature scheme entirely, with conversation centering on transitioning to a more robust cryptographic framework that would make the kind of key-leaking attack used in this exploit significantly harder or impossible to replicate.

Third time’s the pattern

This is breach number three for THORChain. The two-day window between the attacker joining as a node operator and executing the exploit raises pointed questions about onboarding safeguards.

The automated response systems did work. Minutes-not-hours detection and halting is genuinely impressive for a decentralized protocol, and it likely prevented the $10.7 million loss from being significantly larger. The attacker only compromised one of six Asgard vaults, suggesting the damage could have been more severe if the automated systems had been slower.

What this means for investors

The GG20 TSS migration discussion is the key variable to watch. If THORChain successfully transitions to a more secure signing scheme, it could emerge from this incident with battle-tested automated defenses and upgraded cryptography. If the migration stalls or introduces new complexity, the protocol’s risk profile remains elevated.