Key Insights
- THORChain restored full network operations after more than five weeks of security reviews and upgrades.
- The protocol linked the exploit to a flaw in its GG20 threshold signature scheme.
- Native Monero, Zcash, and Bittensor integrations remain on the network’s expansion roadmap.
THORChain has resumed full trading operations after a shutdown that lasted more than five weeks following a $10.7 million exploit. The restart restores a major source of decentralized cross-chain liquidity and allows users to access swaps, signing, churning, and liquidity provider services once again.
The reopening marks the end of an intensive recovery process that began on May 15 when suspicious activity triggered an emergency halt. The new protocol is now moving towards network expansion and long-term security enhancements.
Security review cleared the path for network restart was created by ESET
The incident started after investigators blockchain.com ZachXBT and security firm PeckShield found a potential exploit on several supported chains. To counter this, the network operators put some of their services offline, and the developers began to delve into the breach and determine the damage.
The protocol states that the attacker was able to take advantage of a security flaw in the GG20 threshold signature scheme that protects network vaults. The vulnerability allowed the malicious node operator to deduce a private key by the gradual leakage of cryptographic data.
In an attack, some $10.7 million was lost from one of six Asgard vaults. The other vaults, however, were not affected.
A solvency imbalance was detected using automated checks by THORChain within minutes, the company reported. This meant the network stopped signing and trading transactions before the attacker could do any more transactions to access more funds.
Developers didn’t rush in to restore services but concentrated on a structured recovery plan. All of the vaults were verified and operators have checked all node keyshares before approving the restart. The protocol also retired old vaults, with a migration to a new vault set that is more secure.
Moreover, approved software upgrades were made to add new recovery procedures and security features. The protocol acknowledged node operators, developers and contributors from Maya Protocol for their contribution in maintaining the stability during the recovery process.
Questions around infrastructure continue to shape debate
The exploit has renewed discussion about the future of the protocol’s security architecture.
According to THORChain, the vulnerability originated within the GG20 threshold signature framework that distributes vault control among multiple node operators. Investigators showed that a newly running malicious node operator was able to gradually gather enough information to be able to build up a full private key.
This was another significant security threat to the protocol and brought up concerns about the protection against validator onboarding. But the fast response showed how effective automated monitoring systems monitoring vault imbalances are.
The protocol issued emergency patches immediately after the exploit and further patches with fixes for this vulnerable area later. New security measures include vulnerable-vault quarantine logic checks, key sharing validation checks, and recovery logic designed to improve network resilience.
Most significantly, no new RUNE tokens were issued as part of the recovery process to replace lost tokens. Rather, the protocol took a hit on the liquidity side using prevailing liquidity tools. The decision helped to decrease further pressure from the token during the shutdown period.
Upon restarting, it was observed that the market reacted very little with recovery data. As of June 23, RUNE is currently trading near $0.42, with a 2% increase in value within the last week and a 0.2% drop in value in the last 24 hours. Daily trading volume stood at approximately $16.29 million.
Expansion strategy moves forward despite setback
While security remained the priority, development efforts continued throughout the outage.
The protocol confirmed that native Monero swaps are functioning successfully in testing and are moving closer to a public launch. Support for Zcash also remains in development and could arrive shortly after the network stabilizes.
Furthermore, the developers are still working on Bittensor integration, which will be implemented in the near future, anticipated to be in the coming weeks. Planned improvements also feature dynamic fees and deeper liquidity improvements that will drive trading efficiency for supported blockchains.
These are part of a broader plan to increase the cross-chain capabilities and mitigate potential risks of the operations. With no need for wrapped tokens or centralized bridges, the protocol continues to be one of the largest decentralized networks that allows native blockchain assets to be traded directly.
As trading activity returns, users and liquidity providers will closely monitor network performance. Market participants will also watch whether the new security measures can prevent future incidents while supporting additional integrations.
Conclusion
The return of trading services closes a significant chapter in the protocol’s recovery from a $10.7 million exploit. Security audits, vault verification, and infrastructure improvements have taken weeks, and now, THORChain has returned to its core operations and begun trading across chains again. Now the protocol is tasked with regaining trust and developing new integrations and further enhancing security against future attacks.
