THORChain halts all cross-chain swaps today after investigators identified a multi-million dollar exploit targeting the protocol’s liquidity pools. The decentralized network remains in a state of emergency as 95-plus globally distributed node operators coordinate a forensic review of unusual outflows across Bitcoin, Ethereum, BNB Chain, and Base.
- THORChain node operators halt cross-chain swaps after investigators identify a ten-million-dollar exploit targeting multi-chain liquidity pools.
- Attackers exfiltrated 36.75 BTC along with ETH, causing RUNE to drop thirteen percent following the emergency mimir system activation.
- The breach tests THORChain’s decentralized governance as ninety-five nodes coordinate a forensic audit to identify the protocol's underlying cross-chain vulnerability.
Blockchain investigator ZachXBT and security firms PeckShield and Arkham flagged the suspicious activity yesterday. On-chain data showed attackers moving approximately 36.75 BTC along with significant amounts of ETH and other digital assets. Total losses reached between $7.4 million and $10 million, with the final figure fluctuating based on real-time asset pricing during the drain.
The protocol’s decentralized node operators responded within hours of the first alert. One operator, SamYap, initiated a global pause via the “mimir” emergency system. The built-in governance tool allowed nodes to vote on a trade suspension without the need for a central administrator or a “god-key.” The pause stopped new swap requests but allowed the network to continue processing outbound transactions and refunds for deposits that were already in flight. THORChain engineered the mimir mechanism specifically to provide breathing room during active exploits.
No official post-mortem existed as of Friday morning. Analysts pointed to a potential vulnerability in how the protocol handled cross-chain observations or liquidity pool interactions on the four targeted chains. The attackers routed the stolen funds through THORChain’s native swap paths, a pattern that investigators noted matched “previous high-profile laundering flows.” Pending deposits received automatic refunds once the halt took effect, which limited further exposure for retail users and liquidity providers.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PRThe native token RUNE, which serves as the collateral and governance unit for the protocol, dropped more than 13 percent in the 24 hours following the breach. Liquidity providers who maintained positions through the pause avoided immediate liquidation risk, yet the event disrupted the platform’s $1 billion-plus in total value locked. Traders who relied on the network for permissionless moves between Bitcoin and Base faced a total blackout of swap services.
The defensive response highlighted THORChain’s core design philosophy. Unlike centralized exchanges that freeze accounts via corporate decree, the network relied on a distributed consensus among nodes to reach an emergency decision. The quick mimir vote prevented a larger drain and gave developers time to analyze the exact exploit vector. Stolen assets remained in attacker-controlled wallets this morning as forensic teams continued to map the movement of the 36.75 BTC.
Chain Street’s Take
THORChain’s emergency brake worked as designed; the nodes saw the drain and killed the engine before the pools were emptied. This incident is a live lesson in the trade-offs of decentralized speed. Liquidity providers get the benefit of a fast, consensus-driven recovery, but they also have to accept that even the most “unstoppable” infrastructure can grind to a halt when the validators see danger. The $10 million loss is a blow to RUNE’s momentum, but the success of the Mimir system proves that THORChain’s distributed security model is more than just a theoretical concept.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
