A day after Thorchain (RUNE) paused all network activity after suffering a $10.8M multichain exploit, the foundation launched a $10M compensation portal to begin returning funds to verified victims.
The breach drained funds across Bitcoin (BTC), Ethereum (ETH), BNB Chain (BNB), and Base, affecting 12,847 wallets.
THORChain contributors now believe the exploit may have originated from inside the validator set itself. In an incident update, the team said evidence points to a newly churned node potentially linked to the attack. Investigators suspect the attacker exploited a flaw in THORChain’s GG20 Threshold Signature Scheme implementation, gradually leaking enough vault key material to reconstruct a private key and authorize unauthorized transactions.
The protocol said recovery discussions now include slashing affected validator bonds and using Protocol-Owned Liquidity reserves to absorb losses. While RUNE transfers could resume once the temporary pause expires, trading, liquidity pool actions and other sensitive operations will remain suspended until the network finalizes a broader remediation plan.
How The Exploit Unfolded
The attack targeted Thorchain's cross-chain liquidity routing layer. Thorchain operates as a decentralized cross-chain swap protocol. It allows users to swap native assets, including BTC, ETH, and BNB, without wrapped tokens or bridges.
The protocol holds liquidity in network-controlled vaults on each supported chain. An attacker identified a vulnerability in the routing logic and extracted funds from vaults across all four networks simultaneously. The multichain nature of the attack is what drove the total loss above the $10M threshold. No single chain bore the full damage.
Thorchain's operators paused all trading after detecting abnormal outflows. The halt prevents further exploitation but also freezes legitimate user funds during the investigation.
Also Read: Dogecoin Pushes At $0.11 Resistance As $3B Volume Tests Recovery
The Compensation Portal
The Thorchain Foundation announced the $10M compensation portal covering the 12,847 affected wallets across the four chains. Victims must verify wallet ownership before claims are processed. The portal approach, rather than an immediate airdrop, reduces the risk of fraudulent claims and allows the team to cross-reference on-chain data with the specific transaction signatures involved in the exploit.
The $10M pool does not cover the full $10.8M extracted. An $800K gap remains unaddressed publicly. The Foundation has not confirmed whether additional funds will be sourced from its treasury, from a future token sale, or through an ongoing recovery effort targeting the exploiter's wallet.
Also Read: OpenAI Lets US Users Plug ChatGPT Into Bank Accounts: What Can Go Wrong?
Background
Thorchain has a history with exploits. The protocol suffered two major attacks in the summer of 2021, one for approximately $5M and one for roughly $8M. Both were attributed to vulnerabilities in the Bifrost module, which manages communication between Thorchain's core network and external chains.
At the time, the team halted the network and issued community funds to cover losses, establishing the precedent of using treasury resources for victim compensation. That 2021 pattern mirrors what the Foundation is doing today.
In the years following those incidents, Thorchain underwent extensive security audits and re-launched with a revised vault architecture. The 2026 exploit suggests that cross-chain routing remains one of the hardest problems in decentralized finance security, even after multiple audit cycles.
Also Read: Why A $322B Stablecoin Pile Hasn't Triggered The Crypto Rally Bulls Expected
Protocol Risk In Cross-Chain DeFi
Thorchain's architecture is inherently more complex than single-chain protocols. Every additional blockchain it supports increases the attack surface. The protocol currently supports over a dozen chains. Each integration requires custom vault logic and a Bifrost connector.
A flaw in any one connector can expose all connected vault balances if the routing layer fails to isolate the damage. This is the core tradeoff in native cross-chain design. Wrapped-token bridges like those used by older protocols offload chain-specific risk to the bridge contract itself. Thorchain's native approach eliminates wrapped token risk but concentrates routing risk in its own codebase.
Security researchers have noted that cross-chain protocols processing more than $500M in total value locked require continuous adversarial testing, not just periodic third-party audits. Thorchain's TVL put it in that category before the halt.
Also Read: BNB Chain Pulls Ahead In 2026 RWA Race With 567% Holder Jump
What Comes Next
The network halt will remain in place until the Foundation confirms the vulnerability is patched. A timeline for the restart has not been published. The compensation portal will run in parallel with the security review. Once the patch is verified by at least two independent auditors, a governance vote among RUNE stakers will likely determine when trading resumes.
The process could take days or several weeks depending on the complexity of the fix. Affected users should monitor official Thorchain channels for portal access instructions and claim deadlines.
Read Next: Ledger CTO Flags MPC Risk After THORChain's $10.8M Vault Hit