Inside the 39-Day THORChain Shutdown: How a Rogue Node Operator Drained 10.7 Million USD and the Fix That Brought RUNE Back

On May 15, 2026, a rogue node operator exploited a threshold signature security vulnerability in THORChain, draining approximately 10.7 million USD from one of its Asgard vaults and forcing a 39-day shutdown.

By Elena Kowalski | June 28, 2026

The cryptocurrency world is no stranger to security breaches, but a recent multi-million-dollar hack on THORChain has sent shockwaves through the decentralized finance (DeFi) space. On May 15, 2026, a malicious node operator targeted a key vault structure, leading to the theft of roughly 10.7 million USD worth of assets. Developers immediately halted all trading and token swaps for 39 days. This attack highlighted a structural flaw in the mathematical system that THORChain uses to secure assets, raising questions about the safety of cross-chain decentralized exchanges.

According to security firm PeckShield, hackers stole 81.7 million from crypto platforms in May 2026, an 87% drop from April’s 646.89 million. While broader losses fell, the THORChain exploit reminded the market of ongoing security risks. During the shutdown, the THORChain network was halted — meaning no swaps or withdrawals — but RUNE itself continued trading on external exchanges. On the June 23, 2026 restart day, RUNE traded at approximately $0.42, down 0.2% over 24 hours but up 2% over the past week. For perspective, Bitcoin (BTC) is trading at $60,139, Ethereum (ETH) is at $1,572.89, Binance Coin (BNB) sits at $555.03, Solana (SOL) is at $71.13, and Ripple (XRP) is at $1.049. With massive capital at stake, understanding these safety mechanisms is crucial for investors.

The Exploit Mechanics — How the GG20 threshold signature scheme was broken

THORChain secures its digital assets using a mathematical method called the GG20 threshold signature scheme. For regular investors, a threshold signature scheme is like splitting a house key among six people so no single person can open the door alone. A specific number of key fragments must be combined to approve any transaction. This ensures that no individual node operator can steal funds. However, on May 15, 2026, a malicious operator exploited a subtle loophole in this mathematical formula. According to security firm PeckShield and blockchain analyst ZachXBT, the attacker gradually collected pieces of the key over several weeks. This method is called progressive key material leakage, which means the bad actor slowly stole key parts during normal network messages.

Once the attacker gathered enough leaked fragments, they reconstructed the full private key. With this master key, the hacker signed a transaction that drained 10.7 million USD worth of assets. The exploit did not target a bug in the smart contract code, but rather a vulnerability in the underlying math of the GG20 scheme. Because the transaction looked completely normal to the network, the attacker bypassed standard checks, highlighting that splitting keys is only secure if the fragments remain completely secret during signing ceremonies.

Affected Systems — Which THORChain components were impacted

THORChain keeps its funds in six main storage units called Asgard vaults. The malicious node operator used the reconstructed key to target only one of these six vaults. By draining this specific vault, the attacker took 10.7 million USD, while the remaining five vaults were unaffected. This separation of assets helped prevent the loss of the entire network’s capital. Immediately after the exploit, THORChain’s automatic solvency checks noticed a balance discrepancy and paused the network within minutes. Blockchain investigator ZachXBT and PeckShield quickly flagged the exploit and confirmed the security breach.

Although automatic checks protected the other vaults, the protocol halted all trading. The shutdown lasted 39 days, freezing swaps and liquidity withdrawals. This long freeze frustrated investors locked out of their funds. The event showed that while secondary safety nets limit damage, a single compromised component can still disrupt the entire network and harm confidence.

The Mitigation Strategy — What the v3.19.0 upgrade does (quarantine, keyshare checks, ADR028)

On June 23, 2026, THORChain resumed trading after node operators approved the v3.19.0 upgrade. This software release introduced a new compromised-vault quarantine system, which allows the network to isolate a single suspicious vault without stopping the entire exchange. In the future, if a vault shows unusual behavior, it will be locked down while the rest of the network continues trading normally. The upgrade also added strict keyshare checks to verify that node keys are safe before signing transactions. These recovery tools are tied to a standard called ADR028, which defines how the network detects and isolates rogue nodes. Every legacy vault was migrated to a new, verified set of vaults after checking each keyshare.

The upgrade process faced community backlash because developers proposed keeping a patched version of the GG20 scheme rather than replacing it. Critics argued that the mathematical model was too risky. The team explained that replacing the scheme completely would take months of additional downtime. To get the exchange back online quickly, the community accepted the patched version. The v3.19.0 upgrade successfully brought trading back, but the debate over the safety of the GG20 scheme continues.

Lessons Learned — Why threshold signature schemes need more scrutiny, the trade-offs

The THORChain hack shows that threshold signature schemes require more security scrutiny. While splitting keys is designed to increase safety, it can create new risks if a malicious operator can slowly gather key fragments. Decentralization can become a vulnerability if the network cannot verify the honesty of its participants. Developers must balance the speed of transactions with the security of the underlying math. The exploit also highlights the need for multiple layers of security. THORChain’s secondary safety net, the automatic solvency check, saved the network from a total loss, showing that platforms cannot rely on a single defense method.

Looking forward, THORChain is testing native Monero (XMR) swaps and expects Zcash (ZEC) support within two weeks. While these privacy features could increase trading volume, they bring new risks. For investors, the lesson is that security remains an ongoing process, and new features require continuous safety reviews.

User Action Required — What RUNE holders, LPs, and traders should do now

With trading fully resumed, users must evaluate their risk. If you are a RUNE holder, no direct action is needed as the upgrade was applied automatically. The project covered the losses using its own reserves, meaning no new tokens were printed to dilute your holdings. However, you should monitor RUNE’s performance as the network recovers. For Liquidity Providers (LPs), it is important to log into your account and check your pool balances. Since legacy vaults were migrated, LPs should confirm their positions. If you are concerned about the patched security scheme, you may want to reduce your exposure. Finally, traders can swap assets normally, but should expect minor delays and higher slippage as the system processes old transactions. Always check your slippage settings before swapping.

What this means for you: As a retail investor, this hack shows that while protocol upgrades can resolve vulnerabilities, they also come with compromises. You must decide if you are comfortable with the developers retaining a patched cryptographic system or if you should lower your exposure until a complete security overhaul is implemented. Managing your risk by diversifying your assets across multiple decentralized protocols is always a wise approach in the wake of a major exploit.

The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.