{"id":367,"date":"2026-05-15T14:29:07","date_gmt":"2026-05-15T14:29:07","guid":{"rendered":"https:\/\/1stblock.info\/?p=367"},"modified":"2026-05-15T14:29:08","modified_gmt":"2026-05-15T14:29:08","slug":"thorchain-halts-trading-after-suspected-10-8m-multi-chain-exploit-rune-drops-13","status":"publish","type":"post","link":"https:\/\/1stblock.info\/?p=367","title":{"rendered":"THORChain Halts Trading After Suspected $10.8M Multi-Chain Exploit, RUNE Drops 13%"},"content":{"rendered":"\n<p>Decentralized cross-chain liquidity protocol <strong>THORChain<\/strong> paused all trading and signing operations on Friday after a suspected exploit drained approximately <strong>$10.8 million<\/strong> from its vaults across four blockchains, according to on-chain investigator <strong>ZachXBT<\/strong>. The protocol&#8217;s native <strong>RUNE<\/strong> token fell about <strong>13%<\/strong> following the disclosure, slipping from <strong>$0.58<\/strong> to <strong>$0.51<\/strong>, <em>per CoinGecko data<\/em>.<\/p>\n\n\n\n<p>The attack hit Bitcoin, Ethereum, BNB Chain, and Base simultaneously, <em>ZachXBT said in a Telegram alert<\/em>, with wallets tied to the attacker currently holding roughly <strong>3,443 ETH<\/strong>, <strong>36.85 BTC<\/strong>, and <strong>96.6 BNB<\/strong>. Security firm PeckShield confirmed the suspicious activity and identified two attacker addresses on Bitcoin and two on EVM-compatible chains. THORChain&#8217;s Mimir governance module flipped both trading-halt and signing-halt parameters to active, with the node pause running approximately <strong>12 hours and 42 minutes<\/strong> from block 26190429. The protocol has not yet released a post-mortem or publicly confirmed the attack vector.<\/p>\n\n\n\n<p>This is at least the third major security incident for THORChain in recent years, <em>according to Cointelegraph<\/em>. The protocol suffered multiple multi-million-dollar exploits during 2021, including an ETH router hack and a separate Bifrost bug. The platform&#8217;s open architecture \u2014 designed to swap native assets across chains without bridging or KYC \u2014 has made it a recurring target. Recent forensic reports also identified THORChain as a laundering route used by attackers in the Kelp DAO incident (roughly <strong>$80 million<\/strong> in stolen ETH) and an IoTeX bridge exploit.<\/p>\n\n\n\n<p>The broader DeFi security backdrop is deteriorating. April recorded <strong>over $634 million<\/strong> in DeFi-related thefts, <em>per DefiLlama data<\/em>, the highest monthly figure since February 2025 when attackers staged the <strong>$1.4 billion<\/strong> Bybit hack. Cross-chain bridges and liquidity protocols have absorbed more than <strong>$2.8 billion<\/strong> in cumulative thefts since 2021, <em>according to Chainalysis<\/em>. The recurring pattern \u2014 opaque transaction approvals, complex multi-chain flows, weak human-readable verification \u2014 is precisely what the Ethereum Foundation&#8217;s recently launched <strong>Clear Signing<\/strong> standard targets, though that framework remains in early rollout.<\/p>\n\n\n\n<p>Market implication is contained but specific. Cross-chain liquidity protocols carry concentration risk: a halt at THORChain temporarily strands swap capacity between BTC and EVM chains that competing bridges cannot fully absorb on short notice. RUNE was already down roughly <strong>72%<\/strong> year-on-year heading into the incident. For traders, the relevant near-term variable is whether the protocol publishes a clean post-mortem with a recovery plan or whether the loss compounds \u2014 historically, projects that disclose vector and remediation within 48 hours retain materially more user trust than those that delay.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Decentralized cross-chain liquidity protocol THORChain paused all trading and signing operations on Friday after a suspected exploit drained<\/p>\n","protected":false},"author":2,"featured_media":368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-367","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-market"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/1stblock.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=367"}],"version-history":[{"count":1,"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":369,"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions\/369"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/1stblock.info\/index.php?rest_route=\/wp\/v2\/media\/368"}],"wp:attachment":[{"href":"https:\/\/1stblock.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/1stblock.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/1stblock.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}