In a significant breach of security, THORChain has confirmed a $10 million exploit that impacted nearly 12,847 wallets across various chains, including Bitcoin (BTC), Ethereum (ETH), Binance Smart Chain (BNB), and Base. Following this incident, a recovery portal has been established to assist affected users in reclaiming their lost funds.
Introducing the Recovery Portal
On May 16, 2026, the THORChain Foundation announced the launch of a recovery portal, enabling users affected by the exploit to revoke malicious approvals and submit refund claims. This refund mechanism is supported by a treasury-backed refund pool, ensuring that affected individuals can recover their losses.
The recovery process is straightforward. Affected users are encouraged to navigate to the portal, where they can see the compensation amounts they are eligible to receive. Additionally, they will have a window of 21 days to submit claims, with the refund period closing on June 4. After this date, any unclaimed funds will be redirected to the protocol’s insurance fund.
Details of the Exploit
The exploit was first detected on May 11, 2026, at 02:14 UTC when node operators identified unusual outbound transactions. Within eight minutes, THORChain paused trading and outbound signing to prevent further loss. The total damage included approximately 36.75 BTC (around $3 million) and an estimated $7 million in additional tokens.
Investigation Underway
THORChain has indicated that the likely cause of the exploit was a vulnerability within the GG20 threshold signature scheme (TSS). This flaw allowed the gradual leaking of sensitive vault key materials, which the attacker exploited over time to reconstruct the vault’s private key, thus authorizing unauthorized transactions. A recently churned node that entered the network around the time of the attack is believed to be linked to the breach.
The Treasury is currently collaborating with Outrider Analytics and relevant law enforcement agencies to collect forensic data and identify the perpetrator. Efforts are underway to recover the stolen funds wherever possible.
Wider Impact and Context
The THORChain incident is part of a worrying trend, with crypto hacks significantly escalating in frequency and severity. In April alone, the industry suffered losses totaling approximately $630 million, marking it as one of the worst months for crypto security since early 2025.
As the landscape of decentralized finance continues to evolve, the methods employed by attackers are shifting. Incidents are increasingly reflecting a pattern where vulnerabilities in bridges, access controls, and operational practices are being exploited, exceeding traditional smart contract bugs.
Stay informed and proactive to protect your assets in this dynamic environment.
