Key Insights:
- THORChain confirmed a $10M exploit and opened a user refund portal.
- The attack drained 36.75 BTC and tokens across BNB Chain, Ethereum, and Base.
- Affected users have until June 4 to submit claims through the portal.
THORChain has confirmed a $10 million exploit and launched a recovery portal for affected users. The portal gives users a self-custodial way to revoke malicious token approvals, review expected compensation, and submit refund claims tied to a treasury-backed refund pool.
THORChain Opens Recovery Portal
THORChain Foundation announced the recovery portal in a post on X, stating that affected users can now check what compensation they will receive following the exploit. The portal is designed to help users revoke unsafe approvals while keeping control of their wallets.
According to the recovery portal, the attack was first detected at 02:14 UTC on May 11. Node operators flagged unusual outbound transactions, prompting the protocol to pause trading and outbound signing within eight minutes.
The attackers drained 36.75 BTC, worth about $3 million, along with roughly $7 million in tokens across BNB Chain, Ethereum, and Base. In total, the exploit affected 12,847 wallets across four chains.
THORChain has provisioned a refund pool equal to the size of the losses. Affected users have 21 days to submit claims through the portal. The claim window closes on June 4, and any unclaimed funds will move into the protocol’s insurance fund.
Exploit Linked to the Key Leakage Theory
THORChain said its leading theory points to a vulnerability in the implementation of the GG20 threshold signature scheme. The protocol said the weakness may have allowed sensitive vault key material to leak gradually over time.
If enough key material leaked, the attacker could reconstruct the vault’s private key. That would allow unauthorized outbound transactions from protocol vaults without needing normal approval routes.
The incident update also said a newly churned node entered the network several days before the exploit. THORChain currently believes the node may be connected to the attack.
On-chain links have reportedly been identified between the node’s bonding addresses and wallets that received stolen funds. The protocol said its treasury is collecting forensic data and working with Outrider Analytics and law enforcement agencies.
Refund Plan Aims to Limit User Damage
The recovery portal marks THORChain’s first major response after confirming the exploit. By backing claims with a treasury-provisioned refund pool, the protocol is trying to reduce direct user losses and restore confidence.
The self-custodial design is also important. Users can revoke malicious approvals without handing over wallet control to a third party. This limits additional risk during the claims process.
However, the 21-day deadline creates a narrow window for affected users. Anyone who misses the claim period may lose access to direct compensation, since unclaimed funds will roll into the insurance fund after June 4.
The recovery effort may help contain immediate fallout. Still, the deeper issue is how the attacker gained access and whether the same risk can appear again. THORChain now needs to show that its vault security and node controls have been fully reviewed.
DeFi Security Pressure Keeps Rising
The confirmed THORChain exploit comes during a difficult period for decentralized finance. Crypto hack losses reached $629.7 million in April, making it the worst month since February 2025, when $1.47 billion was stolen.
KelpDAO’s $293 million exploit and Drift Protocol’s $280 million hack drove most of April’s losses. Together, they accounted for about 82% of the monthly total.
Recent attacks also show a shift in DeFi risk. Major losses are no longer coming only from simple smart contract bugs. Bridges, privileged access, validator systems, operational failures, and signing infrastructure are now major attack surfaces.
THORChain’s suspected GG20 issue fits that pattern. It shows how security failures can emerge from deeper infrastructure layers rather than user-facing smart contracts alone.
For now, affected users must submit refund claims before the June 4 deadline. Meanwhile, THORChain’s broader recovery depends on forensic findings, possible fund recovery, and stronger proof that the exploited path has been closed.
Also Read:
- Jane Street Cuts $900M Bitcoin ETF Exposure, Boosts Ethereum Holdings
- Binance Futures to Launch BTCUSD1 Perpetual Contract With 100x Leverage
- US Government Moves $34.8K in Seized LINK, UNI, CRO to Coinbase Prime
Disclaimer: This article on Cryptowealthnet is only for informational purposes and does not constitute investment advice. Cryptocurrency markets are volatile, and readers should conduct their own research before making financial decisions.
KIPLANGAT RONO HESHBON is a Crypto Market Analyst and Blockchain Research Specialist with extensive experience producing data-driven market insights for leading digital asset publications. Skilled in on-chain analysis, derivatives tracking, technical chart interpretation, and tokenomics evaluation. Experienced in delivering structured, analytical reports covering Bitcoin, Ethereum, altcoins, DeFi, and macro-driven crypto movements. LinkedIn: KIPLANGAT RONO HESHBON
