THORChain unchains itself after $10.7M heist, tips hat to Monero 🛡️

THORChain has resumed full network operations more than a month after a $10.7 million exploit forced the cross-chain liquidity protocol to suspend trading and core services. The protocol confirmed in a Tuesday X post that signing, node churn, swaps, liquidity provider actions, and secured and trade assets are now fully operational following an extensive security overhaul.

The disruption began on May 15, when an attacker exploited a vulnerability in THORChain's GG20 Threshold Signature Scheme (TSS), allowing a newly churned validator to reconstruct the private key for a single Asgard vault and authorize unauthorized withdrawals. THORChain's automated solvency monitoring detected the incident, triggering an immediate halt to trading, vault signing, chain observation, and node churn. The protocol later confirmed losses of approximately $10.7 million. The flaw enabled what the protocol described as "progressive key material leakage," permitting a malicious node operator to rebuild a full private key.

Engineers implemented an emergency patch on May 20 to protect remaining vaults before releasing a primary upgrade on June 9, which included a fix for the exploited vulnerability. A follow-up upgrade followed on June 11 with additional stability improvements and fixes to the KeyVerify protocol. On Sunday, the protocol said it had confirmed the safety of most of its vaults through KeyVerify and retired the remaining legacy vaults as part of a migration to a new set of vaults, calling the upgrade the "most significant milestone" in its recovery process. THORChain also completed verification of every node's keyshare on Friday, crediting node operators, developers, the Maya Protocol team, and the wider community for their support throughout the shutdown.

The protocol characterized the rebuild as prioritizing security over speed, with developers verifying every vault and key share before restoring normal operations. The May exploit drew additional attention to THORChain because blockchain investigators have documented hackers using the protocol to move stolen funds between networks such as Bitcoin ($BTC) and Ethereum ($ETH).

With recovery largely complete, THORChain outlined upcoming protocol upgrades, including native swaps and vaults for privacy-preserving cryptocurrency Zcash ($ZEC) within the next two weeks, followed by Monero ($XMR). The project said native Monero swaps are already functioning in end-to-end testing and are expected to launch in the near future. THORChain also plans to launch support for the Bittensor ($TAO) token in about six weeks after the network's restart, alongside planned dynamic fees and deeper liquidity improvements designed to strengthen the protocol's cross-chain trading infrastructure.