THORChain confirms $10M hack, but liquidity keeps flowing
THORChain confirmed a roughly $10 million exploit this week and said it has launched a recovery portal for affected users, while data cited by investigators showed liquidity and token activity continued across the protocol despite the breach. The incident matters now because it hits one of DeFi’s most visible cross-chain venues at a time when security remains a central concern for traders and liquidity providers.
Overview
- THORChain said the exploit affected 12,847 wallets across Bitcoin, Ethereum, BNB Chain and Base, underscoring the breadth of the breach [1].
- The protocol’s recovery portal went live on May 16, with treasury-backed refunds available until June 4, giving users a defined claim window [1].
- Investigators said the attacker drained 36.75 BTC, worth about $3 million, plus another $7 million in tokens, placing the loss near $10 million [1].
- Trading and outbound signing were paused within eight minutes of detection, which limited further losses but also highlighted operational fragility [1].
- Early reports indicated activity across multiple chains continued after the exploit, showing that yield-seeking capital has not fully left the venue [1][5].
- RUNE weakened after the incident, reflecting the market’s immediate discount for protocol risk even as recovery efforts got underway [3][6].
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!
THORChain hack confirms cross-chain risk
THORChain’s confirmation of the exploit sharpened attention on a protocol that has long attracted users by offering cross-chain liquidity and yield opportunities. Blockchain security firm PeckShield’s post-mortem, cited in reporting on the incident, linked the attack to a vulnerability in THORChain’s GG20 threshold signature scheme and said the flaw allowed sensitive vault key data to leak over time [1].
The attacker’s activity was not limited to a single chain. Reporting said funds were taken from Bitcoin, Ethereum, BNB Chain and Base, with the stolen assets then moved across wallets and chains before detection and containment measures kicked in [1][5]. That breadth matters because it points to the operational reach of the exploit and the difficulty of defending protocols that bridge multiple networks.
Market participants view the episode as another reminder that cross-chain liquidity remains exposed to security failures that can surface quickly and spread across ecosystems. The immediate market reaction in RUNE reflected that concern, with reports showing the token fell double digits after the exploit and subsequent trading pause [3][6].
| Incident detail | Verified data | Market implication |
|---|---|---|
| Wallets affected | 12,847 | Broader user impact raises the cost of remediation [1] |
| Estimated losses | About $10 million | Large enough to dent confidence, not fatal to the protocol [1] |
| Assets drained | 36.75 BTC plus tokens | Losses spanned both native and EVM-linked activity [1] |
| Response time | Trading paused within eight minutes | Fast action likely prevented a larger outflow [1] |
Yield-driven liquidity keeps flowing after THORChain hack
The most notable part of the story is not just the loss itself. It is that activity around THORChain did not disappear. Reports following the exploit said yield-driven liquidity and cross-chain flows kept moving even as the protocol paused trading and investigators tracked the attacker’s wallets [1][5]. Interpretation based on available data: some users appear to be separating short-term security shock from the underlying incentive to deploy capital where returns are available.
That behavior is consistent with how DeFi has often reacted to protocol stress. Capital can leave quickly after a breach, but it can also return if the venue remains useful, the losses are contained, and remediation is visible. THORChain’s decision to open a compensation portal and back refunds with treasury funds is relevant here because it gives users a mechanism to assess recovery rather than face open-ended uncertainty [1].
The downside is clear. Recovery portals do not eliminate technical risk, and treasury-backed refunds do not guarantee full confidence restoration. If the exploit was tied to a deeper signing or vault-management weakness, the incident could still affect deposit behavior and the protocol’s ability to retain high-value liquidity providers [1]. That risk is especially relevant in cross-chain markets, where users tend to be more rate-sensitive but also more alert to operational failure.
| Response element | Verified data | Why it matters |
|---|---|---|
| Recovery portal launch | May 16 | Signals an active remediation process [1] |
| Refund deadline | June 4 | Limits the claim window and may accelerate user action [1] |
| Trading pause | About eight minutes after detection | Suggests operational controls were activated quickly [1] |
| Affected networks | BTC, ETH, BNB Chain, Base | Shows the exploit reached multiple liquidity venues [1] |
RUNE and the market’s damage assessment
RUNE’s decline after the exploit showed how quickly the market prices in security risk at the protocol level. Reports cited drops of more than 10% and, in some cases, around 15% after the breach, with the token’s market value falling alongside headlines about the hack [3][6]. For traders, that move is less about one day’s volatility than about the premium the market assigns to trustworthy infrastructure.
The wider implication is competitive. Cross-chain liquidity protocols rely on trust, uptime and predictable settlement. When a large exploit lands, alternatives can look more attractive for a period, particularly among yield-sensitive users who can reallocate quickly. Analysts note that this can shift liquidity share even when the underlying product remains technically functional.
There is, however, a limit to how far that effect may run. The same protocols that attract capital for yield often retain users because they solve a specific routing problem across chains. If THORChain can demonstrate containment, make claims processing visible and avoid further losses, the immediate reputational hit may prove less durable than the first selloff suggested [1]. If not, the breach could weigh on inflows longer than the token’s initial move implied.
THORChain’s next test is whether recovery and transparency are enough to stabilize user behavior after a $10 million exploit. The broader issue for DeFi is unchanged: liquidity can remain mobile and yield-sensitive even after a serious breach, but the cost of a second failure is often much higher than the first.
1. https://www.mexc.co/en-PH/news/1097346
2. https://www.mexc.co/news/1095301
3. https://www.instagram.com/p/DYW1v76EmJM/
4. https://www.mexc.co/en-PH/news/1095365
5. https://defi-planet.com/2026/05/thorchain-halts-trading-after-suspected-10m-cross-chain-exploit/
6. https://www.mexc.co/en-PH/news/1095558
