Decentralized cross-chain liquidity protocol THORChain paused all trading and signing operations on Friday after a suspected exploit drained approximately $10.8 million from its vaults across four blockchains, according to on-chain investigator ZachXBT. The protocol’s native RUNE token fell about 13% following the disclosure, slipping from $0.58 to $0.51, per CoinGecko data.
The attack hit Bitcoin, Ethereum, BNB Chain, and Base simultaneously, ZachXBT said in a Telegram alert, with wallets tied to the attacker currently holding roughly 3,443 ETH, 36.85 BTC, and 96.6 BNB. Security firm PeckShield confirmed the suspicious activity and identified two attacker addresses on Bitcoin and two on EVM-compatible chains. THORChain’s Mimir governance module flipped both trading-halt and signing-halt parameters to active, with the node pause running approximately 12 hours and 42 minutes from block 26190429. The protocol has not yet released a post-mortem or publicly confirmed the attack vector.
This is at least the third major security incident for THORChain in recent years, according to Cointelegraph. The protocol suffered multiple multi-million-dollar exploits during 2021, including an ETH router hack and a separate Bifrost bug. The platform’s open architecture — designed to swap native assets across chains without bridging or KYC — has made it a recurring target. Recent forensic reports also identified THORChain as a laundering route used by attackers in the Kelp DAO incident (roughly $80 million in stolen ETH) and an IoTeX bridge exploit.
The broader DeFi security backdrop is deteriorating. April recorded over $634 million in DeFi-related thefts, per DefiLlama data, the highest monthly figure since February 2025 when attackers staged the $1.4 billion Bybit hack. Cross-chain bridges and liquidity protocols have absorbed more than $2.8 billion in cumulative thefts since 2021, according to Chainalysis. The recurring pattern — opaque transaction approvals, complex multi-chain flows, weak human-readable verification — is precisely what the Ethereum Foundation’s recently launched Clear Signing standard targets, though that framework remains in early rollout.
Market implication is contained but specific. Cross-chain liquidity protocols carry concentration risk: a halt at THORChain temporarily strands swap capacity between BTC and EVM chains that competing bridges cannot fully absorb on short notice. RUNE was already down roughly 72% year-on-year heading into the incident. For traders, the relevant near-term variable is whether the protocol publishes a clean post-mortem with a recovery plan or whether the loss compounds — historically, projects that disclose vector and remediation within 48 hours retain materially more user trust than those that delay.
