THORChain

Cross-Chain Router Exploit (multi-chain drain)

Estimated loss

$10.70M

VERDICT —AMBIGUOUS

Pending post-mortem. THORChain has been audited multiple times by reputable firms; the recurrence of cross-chain router exploits — three confirmed incidents at the router layer to date — suggests systemic complexity in cross-chain message routing that resists static audit alone. Any rigorous pre-deployment review would emphasize router invariants, asset-conservation proofs, and adversarial cross-chain message-ordering scenarios — but no reviewer should claim with certainty that this would have been caught without seeing the patch.

▰ METHOD

Cross-chain router infrastructure exploit

BRIDGEBRIDGEBYTECODE CATCHABLE →AI SCANNABLE →

Root cause

Cross-chain router exploit; specific vector undisclosed pending post-mortem.

Forensic narrative

Cross-chain router exploit hit THORChain across four networks — Bitcoin, Ethereum, BNB Smart Chain, and Base. On-chain investigator ZachXBT flagged suspicious router activity early on 2026-05-15; security firm PeckShield estimated ~36.75 BTC (~$3M) plus ~$7M in Ethereum, BSC, and Base assets drained, for a combined loss of approximately $10.7M. Affected tokens included USDT, USDC, WBTC, DAI, THOR, LUSD, XRUNE, GUSD, AAVE, LINK, and FOX. Protocol response: Mimir governance flipped trading-halt and signing-halt parameters to active, imposing a node pause of ~12 hours 42 minutes from block 26190429. RUNE dropped ~12% on the news. Specific attack vector remains undisclosed pending post-mortem. Historical context: THORChain has been exploited multiple times via router-layer issues (notably twice in mid-2021).

Primary source

https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12 ↗

Sourced from

chainbleed

Technical record