THORChain Confirms $10 Million Multi-Chain Exploit... Trading Suspended and Recovery Portal Released

On May 16, 2026, the decentralized cross-chain protocol THORChain officially confirmed a sophisticated multi-chain exploit that resulted in an asset outflow of approximately $10 million. The protocol team immediately suspended trading to prevent further damage and launched a dedicated recovery portal today to help affected users revoke malicious approvals and claim refunds.

The incident came to light on May 15, 2026, when on-chain investigator ZachXBT first identified suspicious wallet activity. Initially, the damage was estimated at approximately $7.4 million, but it was later revised upward to a total of over $10 million in assets leaked across multiple blockchains, including Bitcoin (BTC), Ethereum (ETH), BNB Chain, and the Base network, during a detailed investigation.

THORChain has confirmed an exploit across four chains and has launched a recovery portal where affected users can revoke malicious approvals and claim refunds.

According to a report from security firm PeckShield, the attacker targeted a vulnerability in THORChain's core asset management system, the Asgard Vaults. The stolen funds are being moved and distributed to specific Bitcoin addresses and Ethereum-based wallets, and the protocol has requested major exchanges to freeze the relevant addresses.

Technical Vulnerability of Asgard Vaults Exposed

Technical analysis results show that this exploit took advantage of a unique structural vulnerability in THORChain, which manages assets across multiple chains simultaneously. The attacker bypassed the verification logic within the Asgard vaults to execute unauthorized asset withdrawals, resulting in the outflow of 36.75 BTC, worth approximately $3 million, from the Bitcoin network alone. The specific scale of damage and asset status by chain are as follows.

• Bitcoin (BTC) Network: Confirmed outflow of 36.75 BTC worth approximately $3 million
• Ethereum, BNB Chain, Base: Multi-asset outflow of approximately $7 million occurred
• Total Damage: Currently estimated between approximately $10 million and $10.7 million

Immediately after becoming aware of the incident, the THORChain team took emergency measures to temporarily suspend all transactions and signing functions on the network. As a result, all cross-chain swaps and liquidity provision activities are currently halted, and the team stated they plan to maintain this state until the system's safety is fully secured. This suspension of transactions is serving as an essential defensive mechanism to prevent further asset theft.

The recovery portal, officially launched today, is a key remedy for users directly affected by this exploit. Users must access the portal to immediately revoke malicious smart contract approvals granted to their wallets and can proceed with refund applications for lost assets according to the procedures established by the protocol. THORChain is providing a step-by-step guide to ensure victims can safely recover their assets.

Market Impact and RUNE Token Volatility

As news of the security incident reached the market, the price of RUNE, THORChain's native token, showed a steep decline. As of May 16, 2026, the RUNE price fell by approximately 11% to 12% compared to the previous day, dropping to the $0.5146 level, which is interpreted as a reflection of selling pressure from investors due to the decline in the protocol's credibility.

This incident serves as another reminder of the ongoing security crisis in the DeFi industry throughout 2026. Following the large-scale outflow incidents at Drift Protocol and KelpDAO last April, the fact that cross-chain bridge infrastructure remains a primary target for hackers is raising concerns within the industry. Experts point out that as the complexity of multi-chain protocols increases, the importance of security audits and real-time monitoring has grown even further.

THORChain is currently preparing a detailed post-mortem report and plans to resume services in stages after fully addressing the security vulnerabilities. Protocol officials urged users to exercise extreme caution, as recovery instructions or links from sources other than official channels are likely to be phishing attempts. The future resumption schedule is expected to be determined based on the progress of security hardening efforts.