THORChain Trading Resumed After $10.7M Vault Exploit
THORChain resumed trading after a five-week halt that followed a reported $10.7 million multichain exploit in May 2026 affecting an Asgard vault; the present record remains sparse on mechanism, attribution, and recovery.
In May 2026, THORChain experienced a reported $10.7 million multichain exploit that affected an Asgard vault, after which trading was halted for five weeks before later resuming.<sup class="cite">[2]</sup><sup class="cite">[3]</sup><sup class="cite">[5]</sup><sup class="cite">[1]</sup> The presently available record establishes the timing of the incident, the reported loss amount, the affected vault type, and the subsequent resumption of trading.<sup class="cite">[4]</sup><sup class="cite">[5]</sup><sup class="cite">[3]</sup><sup class="cite">[1]</sup> It does not establish the technical exploit path, attribution, recovery status, or any formal legal outcome. As a result, the principal mechanism remains undocumented in the dossier, and the event is best characterised as a partially described protocol exploit with confirmed operational disruption but unresolved forensic detail.
This post-mortem relied on the structured dossier provided for the event, whose factual record was derived from a single published source summary by The Block and the event metadata attached to the archive entry. Verification was therefore limited to claims explicitly stated in that source: the five-week halt, the reported $10.7 million loss, the multichain character of the exploit, the involvement of an Asgard vault, and the later resumption of trading.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[3]</sup><sup class="cite">[4]</sup><sup class="cite">[5]</sup> No court filings, protocol post-mortems, audit reports, or transaction-level records were included in the brief, so claims beyond those points were treated as unestablished.
THORChain was reported to have resumed trading on 2026-06-23 after a five-week halt that followed a $10.7 million multichain exploit in May 2026 affecting an Asgard vault.[1][2][3][4][5] Within the present dossier, those points form the core established record: a protocol-level incident occurred in May, the loss was reported at $10.7 million, an Asgard vault was identified as the affected component, trading was halted, and trading later resumed.[2][3][5][1]
The earliest pivotal moment recorded in the archive metadata was 2026-05-19, which the dossier lists as the primary date for the event.[4] The source summary described the incident as a multichain exploit in May and stated that it affected an Asgard vault.[2][3] The available material did not specify whether the exploit originated from a smart-contract flaw, key compromise, logic error, cross-chain message issue, or another failure mode. As of the present record, only the existence of the exploit, its reported scale, and the affected vault designation have been established.[2][3][5]
Following the exploit, THORChain entered a trading halt that lasted five weeks.[1] The dossier did not provide a formal incident-response chronology beyond that interruption, and it did not indicate whether the halt applied to all trading functions or only to specific markets or routing paths. It nevertheless established that the exploit had operational consequences substantial enough to be followed by a multiweek suspension and that the suspension was later lifted.[1][2] In practical terms, the halt functioned as the clearest documented containment measure in the present record, even though the underlying rationale, governance process, and technical remediation steps were not described in the source material.[1]
The next pivotal point in the documented sequence occurred on 2026-06-23, when The Block reported that THORChain had resumed trading after the halt.[1] That resumption established a return to operation, but it did not by itself resolve the unanswered forensic questions surrounding the exploit. The dossier did not state whether the protocol had published a root-cause analysis, whether the affected Asgard vault had been recapitalised, or whether any compensatory or recovery process had been completed. The record therefore supports a narrow conclusion: operations resumed after five weeks, but the mechanism of loss and the disposition of funds remain undescribed in the available materials.[1][3][5]
The loss amount was reported as $10.7 million, and the incident was characterised as multichain rather than confined to a single network.[2][5] That description is material because THORChain operates across chains, and the mention of an Asgard vault indicates that the affected component was not described merely as a peripheral interface or external integrator in the source summary.[3] Even so, the dossier did not provide transaction hashes, chain-by-chain loss attribution, or any statement on whether the full reported amount left protocol control in a single sequence or across multiple transfers. The absence of those details prevents reconstruction of the exploit path from the present record alone.
The documented consequences were therefore limited but concrete. THORChain sustained a reported $10.7 million loss, an Asgard vault was identified as affected, and trading was halted for five weeks before resuming.[5][3][1] The dossier did not include user counts, legal proceedings, regulatory actions, recovery figures, or a formal protocol post-incident report. On the current evidence, the event is established as a completed exploit with material operational disruption and a later return to trading, while the technical and legal record remains incomplete.[1][2][3][5]
Discussion
Within CryptoMortem’s archive, this incident ranked #35 of 52 by severity and #19 of 27 within the hack category. That placement put it in the middle-to-lower range of losses in the current corpus rather than among the archive’s largest capital events. The archive context is also notable: 53 total events have been catalogued, and 23 occurred in the 12 months preceding this incident. The surrounding period has therefore remained operationally dense, with a relatively high concentration of recorded failures and attacks. For comparison, the archive listed 12 other hack records, with mean recovery of 91.6% and mean resolution of 465 days. Those comparative figures are useful mainly as context, not as evidence of outcome here. In this case, the dossier did not state any recovery percentage and did not document a completed remediation process beyond the resumption of trading after five weeks. The event therefore diverged from the archive’s more fully documented hack cases in one important respect: operational reopening was reported, but forensic and financial closure were not. The main analytical significance of this record lies less in its absolute size than in its incompleteness. A multichain exploit affecting an Asgard vault and producing a five-week halt would ordinarily be expected to generate a technical incident narrative, chain-level tracing, or governance disclosures. None of that was present in the brief. As a result, the case currently functions in the archive as a moderate-severity hack with confirmed disruption but unusually thin public documentation relative to the comparative dataset.
Comparative analytics
All comparisons computed against the 53-event CryptoMortem archive at time of publication.
- Severity rank across full archive: #35 of 52 (34.6th percentile).
- Severity rank within same event type: #19 of 27.
- Event type "Hack": 12 other records in archive, mean recovery 91.6%, mean resolution 465 days.
- Archive context: 53 events catalogued; 23 in the 12 months preceding this incident.
Limitations
The present record is materially incomplete. The dossier did not establish the technical attack vector, so it has not been shown whether the exploit arose from contract logic, validator or signer compromise, cross-chain handling, or another mechanism. It also did not identify an attacker or provide attribution. No recovery information was included, so as of 2026-06-23 it has not been established that any portion of the reported $10.7 million was recovered. The brief further omitted transaction hashes, chain-specific loss breakdowns, and user counts, preventing independent reconstruction of fund flows or user impact. Finally, no formal legal, regulatory, or court outcome was documented in the available materials.
Timeline
- Exploit date recorded in dossier metadata
The event metadata lists the primary date as 2026-05-19.
source → - Reported multichain exploit hits THORChain
A reported $10.7 million multichain exploit in May affected an Asgard vault.
source → - The Block reports trading has resumed
The Block published that THORChain resumed trading after the halt.
source →
Who was involved
- The Blocknewsbystander
- Asgard vaultprojectvictim$10.7M
- THORChainprotocolvictim$10.7M
Sources
- THORChain resumes trading after exploit, The Block — Trading resumption, five-week halt, $10.7 million exploit, and Asgard vault impact