THORChain exploit steals $10.7M

THORChain said it detected anomalous outbound transactions on May 11 and later confirmed approximately $10.8 million was taken from its Asgard vaults, the project and security firms reported. The protocol paused trading and signing while node operators and outside investigators raced to contain the incident. Chainalysis and blockchain security firms have since traced preparatory on‑chain activity linked to the suspected attacker. ### When did node operators detect the breach and what did THORChain do immediately? Node operators flagged unusual outbound transactions at 02:14 UTC on May 11, according to a post‑mortem cited by THORChain in its recovery announcement. THORChain said trading and outbound signing were paused within eight minutes of detection to limit further drains. ### How much was taken and which assets were affected? PeckShield’s analysis identified 36.75 BTC and roughly $7 million in tokens across Ethereum, BNB Chain and Base — about $10.8 million in total. Security monitors and on‑chain investigators pointed to two primary attacker addresses that consolidated the stolen funds. ### What did Chainalysis trace about the attacker’s pre‑attack activity? (cointelegraph.com) Chainalysis said in a May 16 thread that wallets it linked to the attacker had moved funds through Monero and Hyperliquid as early as late April, converting assets to USDC and routing them to Arbitrum and Ethereum before the exploit. Chainalysis said those flows appear to have been staged weeks before the May 11 breach. ### What explanation have security researchers offered for how the exploit worked? PeckShield and independent analysts flagged a suspected vulnerability in THORChain’s GG20 threshold‑signature (TSS) implementation, saying a newly churned or malicious node may have allowed gradual exposure of key material. Analysts including PeckShield and several on‑chain sleuths described the vector as affecting the vault signing process rather than a simple smart‑contract bug. (cryptotimes.io) ### What steps has THORChain taken for affected users and governance? THORChain opened a recovery portal on May 16 and said the treasury provisioned a roughly $10 million refund pool to cover losses, citing the PeckShield post‑mortem as the basis for compensation calculations. The foundation’s post on X said affected users can check estimated payouts and revoke malicious approvals through the portal. (blockchain.news) ### Who is investigating and what are investigators watching next? Chainalysis and other blockchain intelligence teams said they are monitoring the Monero and Hyperliquid paths connected to attacker‑linked wallets for signs of cash‑out activity, and law enforcement and THORChain contributors are coordinating forensic work. Security firms reported that, as of their most recent updates, the consolidated attacker addresses had not significantly moved the stolen funds. (cointelegraph.com) THORChain’s recovery portal remains open for claims through June 4, and the foundation said any unclaimed allocation will roll into the protocol insurance fund after that date. Investigators and on‑chain analytics firms have said they will continue tracking the identified Monero and Hyperliquid addresses for movement in the days following the exploit. (whale-alert.io) (cryptotimes.io)