THORChain opens $10M recovery portal after exploit
THORChain confirmed a $10 million exploit and opened a recovery portal for users to revoke malicious approvals and file refund claims from a treasury-backed $10M pool.
THORChain confirmed a security breach on May 11 and launched a recovery portal that lets affected users revoke malicious token approvals and submit refund claims. The protocol reported the incident was detected at 02:14 UTC when node operators flagged unusual outbound transactions; trading and outbound signing were paused within eight minutes.
The attackers drained 36.75 BTC (about $3 million) and roughly $7 million in tokens from vaults on BNB Chain, Ethereum and Base. THORChain reported 12,847 wallets across four chains were affected. The foundation provisioned a refund pool equal to the reported loss, totaling $10 million.
The recovery portal is self-custodial: users can independently revoke approvals that may have enabled the theft and then file a claim. Affected users have 21 days to submit claims; the refund window closes on June 4. Any unclaimed allocation will move into the protocol’s insurance fund after that date.
THORChain’s leading technical theory is that an implementation flaw in the GG20 threshold signature scheme allowed sensitive vault key material to leak over time. By collecting enough of that leaked material, the attacker reconstructed a vault private key and authorized unauthorized outbound transactions. A node that joined the network several days before the incident is suspected to be linked to the attacker, with on-chain links identified between the node’s bonding addresses and wallets that received stolen funds.
The foundation wrote on its recovery portal that “affected users are now able to check what they will be paid as compensation following the exploit.” The portal draws on a post-mortem by a blockchain security firm and displays individual entitlements based on the forensic analysis; the announcement did not provide a specific compensation formula.
THORChain reported that the treasury and analytics partners are collecting forensic data and coordinating with Outrider Analytics and law enforcement to trace stolen assets and seek recoveries. The foundation urged affected users to secure approvals and submit claims within the 21-day window.
Security incidents in decentralized finance have included breaches tied to privileged access, operational failures and infrastructure flaws such as signature schemes and bridge vulnerabilities. THORChain’s report places the incident in that context by identifying a signature-scheme implementation issue as the probable cause.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
