TL;DR
- THORChain restored trading, signing, swaps and liquidity provider actions after more than a month of checks following a $10.7 million exploit.
- The recovery included KeyVerify safety checks, verification of every node’s keyshare, retirement of legacy vaults and migration into a new vault set.
- The exploit involved GG20 threshold signature weakness and progressive key material leakage, with Zcash, Monero and Bittensor integrations now back on roadmap after network activity resumed fully.
THORChain has restored network activity after more than a month of security checks, upgrades and vault migration work triggered by a $10.7 million exploit. The cross-chain protocol said trading, signing, swaps and liquidity provider actions are live again after a halt that began on May 15. The restart is significant because THORChain is not simply reopening a market, it is asking users to trust a redesigned security posture after an attacker exposed a flaw inside the vault architecture that protects assets moving between chains.
Trading is live again on THORChain.
After more than a month offline, the network is fully back. Signing, churning, secured and trade assets, LP actions, and swaps are all up and running. The world's leading Bitcoin DEX is open for business once again.
This recovery was never…
— THORChain (@THORChain) June 23, 2026
The recovery centered on proving that old vault risk had been contained. THORChain said most vaults were confirmed safe through the KeyVerify protocol, remaining legacy vaults were retired, and assets were migrated into a new vault set. The team also completed verification of every node’s keyshare before restoring activity. That sequence matters because the network’s restart depends on distributed key confidence, not only software patches. For a protocol built to swap assets across networks such as Bitcoin and Ethereum, private-key coordination is the heart of the system.
Vault Migration Becomes THORChain’s Trust Test
The exploit was tied to a vulnerability in THORChain’s GG20 threshold signature scheme, which distributes vault key control across multiple node operators. According to the protocol, a malicious node operator was able to reconstruct a full private key through progressive key material leakage, enabling the theft of $10.7 million. THORChain issued an emergency patch on May 20, then released a June 9 upgrade that fixed the exploited vulnerability, followed by a June 11 update with stability improvements and KeyVerify fixes. That makes the exploit a cryptographic coordination failure, not a routine front-end incident.
The restart also reopens a protocol that has long been important, and controversial, in cross-chain markets. THORChain enables native swaps between major networks, but investigators have scrutinized it because hackers have used cross-chain liquidity routes to move stolen funds. With recovery largely complete, the roadmap is again moving forward: native swaps and vaults for Zcash are expected within two weeks, followed by Monero, while Bittensor support is planned about six weeks after restart. For now, THORChain’s comeback is also a credibility test, with security upgrades, privacy-asset integrations and renewed trading all arriving under the shadow of the May exploit, as users reassess whether upgraded vault design can restore confidence across cross-chain liquidity routes after prolonged disruption.
