THORChain Suffers a $10 Million Cross-Chain Exploit as RUNE Drops 15%
THORChain suffered a cross-chain exploit on May 16, with on-chain investigator ZachXBT identifying a breach exceeding $10 million spanning Bitcoin, Ethereum, BNB (BNB) Smart Chain, and Base networks. The RUNE (RUNE) token fell 15% in response.
The protocol activated emergency measures after the attack was identified. Chainalysis traced weeks of preparatory on-chain activity linking the attacker to a calculated laundering operation involving Monero and Hyperliquid prior to the breach.
The Attack in Detail
THORChain, a decentralized cross-chain liquidity protocol that allows users to swap native assets across different blockchains without wrapping tokens, lost more than $10 million across four networks in the May 16 incident.
Cross-chain liquidity protocols, systems that pool assets from multiple blockchains to facilitate direct swaps, present a structurally larger attack surface than single-chain platforms because a successful breach can drain funds locked in pools across several networks simultaneously.
ZachXBT, a pseudonymous on-chain investigator whose previous work has exposed multiple high-profile exploits, posted findings shortly after the attack. The attacker moved funds across Bitcoin, Ethereum (ETH), BNB Smart Chain, and Base, complicating recovery efforts by distributing proceeds across different blockchains.
RUNE dropped to a 15% loss on the day as the market priced in protocol risk and the potential for additional outflows from THORChain’s liquidity pools.
Blockchain analytics firm Chainalysis published a trail analysis showing the attacker had pre-positioned funds through Monero, a privacy coin, and through Hyperliquid’s perpetual futures platform in the weeks before the breach. The pattern suggests deliberate planning rather than opportunistic exploitation of a newly discovered vulnerability.
Also Read: The Architecture That Made Hyperliquid Perps Possible
How THORChain Works
THORChain enables native-asset swaps by maintaining liquidity pools in a network of nodes that collectively custody funds on each supported blockchain.
When a user swaps Bitcoin (BTC) for Ethereum natively, THORChain’s nodes unlock BTC on the Bitcoin chain and release ETH from the Ethereum pool, rather than creating a wrapped token. This approach preserves the native properties of each asset but requires the protocol to hold real balances across every chain it supports.
That custody model is the fundamental source of risk.
Every pool of native assets held by THORChain’s node network is a potential target. The protocol uses bonded node operators who must lock up RUNE as collateral, with the theory that the cost of attacking the network exceeds the potential gain.
The May 16 breach suggests the attacker found a path that bypassed that deterrent, at least partially.
Also Read: Monad Targets 10,000 Transactions per Second With EVM-Compatible Layer-1
Background
THORChain has faced security incidents before. In 2021, the protocol suffered two separate exploits within weeks of each other, losing approximately $8 million in the first and $5 million in the second.
The team paused the network each time, reimbursed affected liquidity providers using community treasury funds, and resumed operations after security patches. Those events established a precedent of transparent post-incident response.
The protocol’s total value locked recovered to several hundred million dollars after the 2021 incidents as cross-chain activity grew.
Its RUNE token reached all-time highs during the 2021 bull market before declining through the 2022 downturn. The 2026 attack lands during an already-difficult period for RUNE, which had been underperforming the broader altcoin market before May 16.
The prior exploits had also drawn scrutiny of THORChain’s multi-chain custody model from security researchers who argued the attack surface would grow with each additional blockchain added to the network.
Also Read: Canton Network Holds a $6.1 Billion Market Cap as Institutional Blockchain Gains Traction
What Comes Next
THORChain’s node operators will need to complete an audit of the exploit vector before resuming normal operations. The protocol’s community treasury and the bonded RUNE model will face scrutiny over whether adequate collateral exists to cover affected liquidity providers.
If the response mirrors 2021, the team will likely publish a post-mortem, propose reimbursement terms, and schedule a restart within days.
The longer-term question is structural. Cross-chain liquidity protocols carry inherent custody risk across every chain they support.
As the number of supported networks grows, so does the total value at risk. Competing designs using intent-based bridging or off-chain settlement have gained ground partly as a response to exactly this vulnerability profile.
THORChain’s response to this incident will determine whether it retains the liquidity provider confidence needed to remain competitive in that evolving landscape.
Read Next: Pudgy Penguins PENGU Holds Ground Near $0.0087 During Broad Altcoin Decline
