THORChain halted trading after attackers drained about $10.8 million from one of its protocol-owned vaults — and the RUNE token tanked 15% in minutes. The hit landed on a cross-chain network most newcomers have never heard of, but the same kind of infrastructure quietly moves billions every month between Bitcoin, Ethereum, and other big blockchains. Here’s what we know about the attack, why RUNE crashed, and what it tells you about cross-chain risk in 2026.
What actually happened with THORChain
On the morning of May 15, 2026, on-chain investigator ZachXBT posted a Telegram alert. Someone had likely exploited THORChain — a decentralized protocol that lets you swap native crypto across different blockchains.
ZachXBT first estimated losses at $7.4 million, then updated the figure after a fuller on-chain audit. As he put it on Telegram, “It appears Thorchain was likely exploited on It appears Thorchain was likely exploited on Bitcoin, Ethereum, BSC, Base for $10.7M+.”
Security firm PeckShield backed up the warning within minutes. The attack hit four networks at once: Bitcoin, Ethereum, BNB Smart Chain, and Base. Before we get into what broke, a quick note on what an Asgard vault even is. THORChain runs six of them, and they hold protocol-owned funds that back cross-chain swaps. Think of them as the network’s working capital.
THORChain confirmed that attackers compromised one of its six Asgard vaults for approximately $10.7 million in protocol-owned funds. Initial indications point to user deposits remaining safe. The team hasn’t yet published a post-mortem explaining the exact attack vector.
How the attacker moved the money
The communities now point to a likely cause for the THORChain exploit: a GG20 TSS exploit. TSS (threshold signature scheme) lets a group of nodes co-sign vault transactions without any single node holding the full private key. GG20 is the specific cryptographic protocol THORChain uses for it.
The working theory goes like this. A malicious node churned into the validator set, extracted key material from the other co-signers, reconstructed a full private key, and swept one of the vaults. Researchers have filed multiple CVEs against GG20 over the years and patched them at the time, but the community has already flagged what it believes is the malicious node behind this case.
The damage stayed contained to 1 of 6 Asgard vaults, meaning the attacker drained roughly 20% of protocol-owned funds in active vaults. That’s the structural reason user deposits look safe: the other four vaults remained untouched.
The attacker then swapped most of the stolen tokens to ETH and routed them into a single wallet — a familiar pattern that scrambles the trail across chains. Stolen assets included WBTC, USDT, USDC, DAI, AAVE, and Chainlink (LINK).
Arkham Intelligence flagged the main wallets as “THORChain Exploiter” addresses. One Bitcoin wallet held roughly 36.85 BTC (about $3 million). An Ethereum wallet held over 3,156 ETH (about $7.1 million). The protocol responded fast. Nodes triggered a global emergency halt, freezing trading and signing for roughly 12 hours and 42 minutes.
Why $RUNE crashed — and what it means for holders
To understand why the 15% drop hit so hard, you need to zoom out for a minute. RUNE wasn’t crashing from a flat chart — it was crashing from the top of a parabolic rally that doubled the token’s price in 30 days. How did that setup play out?
The 100% $RUNE rally before the exploit
This is where the timing really hurts. RUNE had run from around $0.30 in mid-April to about $0.60 just before the hack — roughly a 100% gain in 30 days. Two things drove the rally.
- First, on May 12, THORChain burned 64.4 million RUNE, slashing total supply to 360 million and reinforcing the token’s deflationary design.
- Second, daily cross-chain volume was spiking, partly because traders kept using the protocol as a routing layer for other hacked funds.
The token also broke above its upper Bollinger Band on May 5 — a classic overheated signal that often warns of a cooldown ahead. With RSI sitting around 67, RUNE was already pushing the limits of a healthy uptrend before the news broke. The chart was vulnerable.
After the exploit, $RUNE crashed 15%
Within minutes of ZachXBT’s alert, RUNE dropped from $0.58 to roughly $0.50, wiping about $27 million off its market cap. Trading volume jumped 140% as panic selling kicked in.
If you bought RUNE in the last week, you’re probably underwater. The token never gave bulls a clean entry after the Bollinger Band breakout, and the hack-handed late-cycle traders a perfect excuse to take profit.
Open interest on Binance and Bybit RUNE futures spiked 17–19% in the four hours after the alert, hinting that short sellers were piling on.
The good news, if there is any: THORChain’s emergency halt worked exactly as designed. Trading and signing froze across all connected chains, while the THORChain blockchain itself continued to run. Security researchers have been calling for that kind of circuit breaker across DeFi for years.
A pattern, not a one-off
The THORChain Asgard vault exploit is the latest hit in a brutal stretch of cross-chain attacks.
April 2026 alone saw over $634 million stolen across DeFi protocols, the highest monthly sum since the $1.46 billion in February 2025, when hackers staged the record $1.4 billion Bybit exchange attack.
The KelpDAO and Drift Protocol hacks made up most of April’s damage. Bridge-style protocols like THORChain keep showing up in these stories — often as the laundering route, not the target.
And earlier this month, a different kind of 1inch liquidity provider exploit drained $6.7 million from TrustedVolumes through a permission flaw in custom resolver contracts — same theme, different attack surface.
The industry response has been mixed so far. Some teams are moving to safer infrastructure. Solv Protocol just shifted $700 million away from LayerZero to Chainlink CCIP. Others are rethinking the user-facing layer entirely: we covered how the Ethereum Foundation’s new clear signing standard aims to close the “blind signing” gap that enabled the Bybit hack.
What you should actually do
If you’ve ever used THORChain or any cross-chain DEX (decentralized exchange), now is a good moment to check your token approvals on Revoke.cash.
Old approvals are one of crypto’s biggest hidden risks. They stay active long after you’ve moved on from a protocol, and a compromised contract can use them to pull funds without asking again.
You don’t need to panic, but you should pay attention. Cross-chain protocols are the connective tissue of modern DeFi, and we expect more of these stories before things settle down.
The post THORChain Asgard Vault Exploit Drains $10M, Crashes $RUNE 15% appeared first on Memeburn.
