What Happened in the THORChain Exploit?
THORChain has confirmed a $10 million exploit and launched a recovery portal for affected users, giving them a self-custodial route to revoke malicious token approvals and submit refund claims backed by a treasury-funded pool of the same size.
The protocol said affected users can now check what compensation they are eligible to receive after the attack. The recovery portal cites a PeckShield post-mortem saying the exploit was detected at 02:14 UTC on May 11, when node operators flagged anomalous outbound transactions. Trading and outbound signing were paused within 8 minutes.
The attacker drained 36.75 BTC, worth about $3 million, along with roughly $7 million in tokens across BNB Chain, Ethereum and Base. The incident affected 12,847 wallets across 4 chains, making it another reminder that cross-chain infrastructure remains one of DeFi’s most exposed risk areas.
How Will User Compensation Work?
Affected users have 21 days to submit claims through THORChain’s recovery portal. The refund window closes on June 4, after which any unclaimed allocation will roll over into the protocol’s insurance fund.
The refund structure is important because it gives users a defined recovery path rather than leaving compensation open-ended. The treasury-provisioned pool also limits the immediate reputational damage by matching the reported exploit size, though it does not remove the deeper security questions raised by the breach.
For users, the main practical issue is timing. Claims must be submitted before the deadline, and users also need to revoke malicious approvals through the recovery process. For the protocol, the larger challenge is proving that the compromised infrastructure has been isolated and that similar vault-level risks cannot reappear.
Investor Takeaway
THORChain’s refund pool may reduce immediate user losses, but the exploit raises a broader valuation issue for DeFi protocols: treasury strength now matters only if security architecture can protect the assets those treasuries are meant to support.
How Was THORChain Drained?
THORChain said the leading theory is that the attacker exploited a vulnerability in the GG20 threshold signature scheme implementation. According to the protocol, the flaw allowed sensitive vault key material to leak gradually. After accumulating enough leaked data over time, the attacker was able to reconstruct the vault’s private key and authorize unauthorized outbound transactions.
The protocol also said a newly churned node entered the network several days before the attack and is currently believed to be linked to the incident. THORChain said onchain links were identified between the node’s bonding addresses and wallets that received the stolen funds.
“The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible,” the protocol wrote.
The mechanics of the exploit matter because they point beyond a simple smart contract failure. If the leading theory is correct, the breach involved vault key reconstruction through leaked threshold-signature material, placing node operations, key management and cross-chain signing controls at the center of the investigation.
Why Does This Matter for DeFi Security?
The THORChain exploit comes after a sharp rise in crypto losses. Crypto hacks reached $629.7 million in April, the worst month for the industry since February 2025, when $1.47 billion was stolen. KelpDAO’s $293 million exploit and Drift Protocol’s $280 million hack accounted for most of April’s losses, representing 82% of the total.
