THORChain (RUNE) Launches Refund Portal After $10M Exploit

THORChain, the decentralized cross-chain liquidity protocol, has launched a recovery portal following a confirmed $10 million exploit on May 11, 2026. The breach impacted 12,847 wallets across Bitcoin (BTC), Ethereum (ETH), BNB Chain, and Base. The portal, live as of May 16, allows affected users to check their compensation and submit refund claims, supported by a treasury-funded refund pool of equivalent size.

The incident, revealed via a PeckShield post-mortem, was traced to a vulnerability in THORChain’s GG20 threshold signature scheme (TSS). This flaw reportedly allowed an attacker to gradually leak sensitive vault key data, ultimately enabling unauthorized transactions. The attacker drained 36.75 BTC (approximately $3 million) and an additional $7 million in tokens across other chains. Trading and outbound signing were paused within eight minutes of detection, minimizing further losses.

Refund Portal and Next Steps

Affected users have until June 4, 2026, to submit their claims through the portal. Any unclaimed funds post-deadline will roll over to the protocol’s insurance fund. THORChain has stated that its treasury is working with on-chain analytics firm Outrider Analytics and law enforcement agencies to pursue the attacker and recover stolen assets.

Preliminary investigations suggest the attacker may be linked to a recently churned node that joined the network shortly before the exploit. On-chain connections between the node’s bonding addresses and wallets receiving stolen funds further bolster this theory.

Impact on RUNE and the Market

The exploit added downward pressure on THORChain’s native token, RUNE, which dropped roughly 11–13% during the incident. This decline reflects broader market concerns over recurring security vulnerabilities in DeFi protocols, especially as cross-chain bridges and TSS implementations have become frequent attack vectors. As of May 16, RUNE traded at $0.4382, down 0.14% over the past 24 hours, with a market cap of $157 million.

Crypto hacks have surged in 2026, with April alone witnessing $630 million in losses—the worst month since February 2025. High-profile incidents like KelpDAO’s $293 million exploit and Drift Protocol’s $280 million breach have driven the bulk of these losses, underscoring the growing complexity of DeFi attacks. THORChain’s latest incident adds to these industry-wide challenges, particularly as attackers increasingly exploit operational vulnerabilities over simple smart contract bugs.

THORChain’s Role in DeFi

Despite its security hurdles, THORChain remains a cornerstone of decentralized finance, enabling native cross-chain swaps without reliance on wrapped tokens or centralized intermediaries. The protocol has expanded its ecosystem significantly, integrating with over 10 blockchains and supporting native Solana (SOL) swaps as of February 2026. Its SDKs, including XChainJS and SwapKit, power integrations with wallets, aggregators, and decentralized exchanges, solidifying its position as critical DeFi infrastructure.

However, this latest exploit highlights the inherent risks in permissionless cross-chain operations. For traders and liquidity providers, the incident serves as a reminder to monitor not just protocol growth but also its ability to implement robust security measures.

As the recovery portal remains active until June 4, the community will be watching closely to see how effectively THORChain can compensate users and rebuild trust.

Image source: Shutterstock