Cross-chain liquidity protocol THORChain has launched a formal refund portal for victims of its May 17 exploit, which drained $10.8 million from multi-chain vaults and suspended operations for more than 13 hours. RUNE, the protocol’s native token, tumbled roughly 12% in the immediate aftermath and has yet to fully recover, reflecting the market’s unease about the security of decentralized cross-chain infrastructure.
The portal opened on May 19 and gives affected users until June 4, 2026 to submit claims. Funds that remain unclaimed after that deadline will be rolled into the protocol’s on-chain insurance fund, which is intended to cover future shortfalls and make whole any users who can’t be identified through the claims process.
How the Exploit Happened
Investigators working alongside the THORChain security team (THORSec) and external partners have identified the probable attack vector: a flaw in the protocol’s implementation of the GG20 Threshold Signature Scheme (TSS). The attacker is believed to have gradually extracted partial key material from vault nodes – a slow-leak technique that avoids triggering standard anomaly detection – until enough fragments were accumulated to reconstruct a full private key and authorise unauthorised withdrawals.
“This wasn’t a flash-loan attack or a price-oracle manipulation,” a THORSec contributor wrote in the incident post-mortem. “The attacker was patient, operating across multiple blocks before the vault key was compromised enough to act.”
Once the key was reconstructed, funds were moved across at least four chains – Bitcoin, Ethereum, Litecoin, and BNB Chain – before the protocol’s automated safety mechanisms halted cross-chain swaps. The 13-hour outage was the longest in THORChain’s history.
who’s Affected and What’s Covered
The refund portal covers liquidity providers and swap users who suffered direct losses during the exploit window. THORChain’s treasury confirmed it’s working with Outrider Analytics, an on-chain forensics firm, and has shared address data with law enforcement agencies in multiple jurisdictions.
The protocol hasn’t publicly disclosed the exact reimbursement mechanism – whether payouts will come in RUNE, the assets lost, or a stablecoin equivalent – though the claims process requires users to connect the affected wallet addresses and submit supporting transaction records.
Any unclaimed funds after June 4 will enter the insurance pool rather than revert to the treasury, a design choice intended to maintain user trust even if not all victims can be reached.
Warning: Scammers Are Active
THORChain contributors have issued a pointed warning: several fake social media accounts are running fraudulent “refund” campaigns, impersonating official channels with promises of airdrops or priority compensation. The protocol stressed that no airdrop or unsolicited refund programme exists – all legitimate claims flow through the official portal only, accessible via the verified THORChain governance forum and the thorchain.org domain.
Users who receive direct messages on Telegram, Discord, or X/Twitter claiming to offer faster reimbursement should treat them as scams.
RUNE Price and Market Reaction
RUNE fell from roughly $3.40 to $2.99 in the hours following the exploit disclosure, a drop of approximately 12%. Trading volumes spiked threefold as holders debated whether the insurance fund and refund mechanism would be sufficient to restore confidence.
At the time of publication, RUNE had partially recovered to around $3.18 but remains below its pre-exploit level. On-chain data from Nansen shows a net outflow of RUNE from liquidity pools over the past 72 hours, suggesting some LPs are withdrawing liquidity while the investigation continues.
Broader Implications for Cross-Chain DeFi
The THORChain incident is the fourth significant cross-chain exploit in 2026 and underscores a persistent vulnerability in the architecture of decentralised bridges and liquidity networks. Unlike single-chain DeFi protocols, cross-chain infrastructure must secure private key material across multiple independent validator sets – a fundamentally harder problem than a single smart-contract audit.
“The industry hasn’t solved the multi-party computation key management problem in production environments,” said Nic Carter, a partner at Castle Island Ventures, in a comment on X. “THORChain is one of the more mature protocols out there. If they’re vulnerable, everyone is taking notes.”
Security researchers point to the GG20 TSS scheme specifically as an implementation challenge: while the cryptography itself is sound, deploying it across dozens of geographically distributed nodes – each running different hardware and software stacks – creates surface area that static audits routinely miss.
THORChain’s development community has proposed migrating to a newer MPC scheme as part of a post-exploit protocol upgrade expected to be put to a governance vote within 30 days.
What Happens Next
- Claims deadline: June 4, 2026 – affected users must submit before this date
- Governance vote on TSS upgrade: Expected within 30 days of the incident
- Law enforcement involvement: Outrider Analytics coordinating with agencies in at least three jurisdictions
- Protocol status: Cross-chain swaps resumed on May 18 after a patch was deployed to vault nodes
THORChain has navigated exploits before – notably in 2021 – and recovered to become one of the highest-volume decentralised cross-chain protocols. Whether this incident follows the same recovery arc will depend on how quickly the insurance fund reimbursements are processed and whether the proposed TSS upgrade can close the identified vulnerability before another attacker attempts a similar approach.
FAQ
How do I file a claim for the THORChain exploit? Visit the official THORChain refund portal linked through the thorchain.org website or the verified governance forum. Connect the affected wallet, provide transaction records, and submit before June 4, 2026. don’t trust links shared in DMs or unofficial channels.
Will THORChain compensate all victims in full? The protocol has committed to reimbursing verified claims through its treasury and insurance fund. The exact compensation ratio will depend on the total validated losses versus available funds – details are expected in an official announcement before the June 4 deadline.
Is RUNE safe to hold after the exploit? RUNE’s risk profile has increased in the short term given ongoing uncertainty about the full extent of the vulnerability. However, THORChain has a history of recovering from exploits. Investors should assess the protocol’s ongoing security review and governance response before making trading decisions.
