THORChain Loses $10.7M in Vault Churn Exploit; RUNE Drops 13.5%

THORChain suffered a security breach on May 15, 2026, that drained approximately $10.7 million from one of its six Asgard vaults. Attackers poisoned the vault churn address during a routine migration, redirecting funds across at least four blockchains including Bitcoin, Ethereum, and BNB Smart Chain. RUNE, the protocol's native token, fell roughly 13.5% on the news as the team halted all trading and signing operations.

How the Attack Worked

Vault churn is a routine process in which THORChain rotates its Asgard vaults, the MPC (Multi-Party Computation) wallets that hold user funds across multiple chains. MPC wallets distribute private key control across multiple nodes so no single party can authorize a transaction alone. During churn, the protocol migrates assets to a new vault address. Attackers exploited this window by injecting a poisoned destination address into the churn process, causing the network to route outbound transactions to attacker-controlled wallets instead of the intended new vault.

On-chain investigator ZachXBT first flagged the suspected exploit via Telegram, pointing to a series of anomalous outbound transactions. THORChain developers confirmed in an official announcement that one of six Asgard vaults was compromised, with approximately $7.4 million in unauthorized outbound transactions completed before the network detected the anomaly and halted signing activity. Total losses, including funds moved across all affected chains, reached the $10 to $11 million range.

Damage Containment and Protocol Response

The team's decision to pause signing operations quickly appears to have capped losses that could have been substantially higher. With six Asgard vaults holding cross-chain liquidity, a full compromise across all vaults would have exposed a far larger pool of user funds. THORChain's incident response protocols activated fast enough to protect the remaining five vaults.

At $10.7 million in confirmed losses, this is not a minor operational hiccup. The attack surface was not the underlying cryptographic scheme itself. MPC threshold signatures, which require a quorum of nodes to co-sign any transaction, were not broken mathematically. Attackers targeted the operational layer instead: the address-handling logic during a predictable, scheduled process. That distinction matters for how the broader industry interprets the incident. The MPC model is not inherently defeated, but the process surrounding it clearly needs hardening.

Market Reaction

RUNE was trading down approximately 13.5% at the time of the halt, with individual reports ranging from 12% to 15% depending on the measurement window. The sell-off was immediate and sharp, consistent with the market's pattern of punishing cross-chain protocols harshly after security incidents. Cross-chain bridges and liquidity networks carry compounded risk because exploits propagate across multiple chains simultaneously, making the damage harder to contain and the optics worse.

THORChain has been here before. The protocol suffered multiple exploits in 2021, including a $7.6 million flash loan attack in June and an $8 million reentrancy exploit in July of that year. Each incident was followed by a recovery, and the protocol continued operating. Whether that track record reassures or alarms users likely depends on how quickly the team publishes a post-mortem and what remediation steps it commits to.

MPC Security Under the Microscope

The incident is adding fresh scrutiny to MPC and threshold-signature wallet infrastructure across the DeFi sector. MPC was widely adopted as an upgrade over single-signature hot wallets precisely because it eliminates single points of failure at the key level. But this exploit illustrates that eliminating a single point of failure in one layer does not eliminate risk across all layers. Operational processes, address validation logic, and churn mechanics each represent their own attack surfaces.

Cross-chain protocols are structurally more exposed than single-chain applications because they must manage state, addresses, and asset custody across heterogeneous networks simultaneously. The Poly Network exploit in 2021 ($611 million), the Ronin bridge hack in 2022 ($625 million), and the Nomad bridge collapse in 2022 ($190 million) all targeted the bridging layer rather than any single chain's base security. THORChain's latest incident fits that pattern: the vulnerability was not in Bitcoin's UTXO model or Ethereum's EVM, but in the protocol logic connecting them.

What Comes Next

THORChain's path forward depends on three things: a credible post-mortem that identifies exactly how the churn address was poisoned, a concrete fix to the vault migration process, and a timeline for reopening trading. Users with liquidity in the protocol will be watching closely for any indication that the remaining five vaults are fully secure before the network resumes normal operations.

For the broader cross-chain sector, the episode is a reminder that security audits focused on smart contract code can miss operational vulnerabilities in off-chain processes. Vault churn is not an exotic edge case; it is a scheduled, recurring function. If the address validation logic during churn was insufficient, that gap should have been caught in operational security reviews. The industry's security tooling has matured considerably since 2021, but this incident suggests the maturation has not been uniform.