ZUG, SWITZERLAND / Cryptowire / — THORChain halted trading and signing activity after a compromised Asgard vault was linked to more than $10 million in unauthorized digital asset outflows, marking a significant security incident for the decentralized cross-chain liquidity protocol. The halt was announced on May 15 after abnormal network behavior was detected. THORChain said initial indications showed user funds were safe and that the affected assets were protocol-owned funds.
The incident involved one of THORChain’s Asgard vaults, which are used by the network to support swaps between native digital assets across separate blockchains. Early loss estimates ranged from about $10 million to $10.8 million, with activity reported across Bitcoin, Ethereum, BNB Chain and Base. The protocol paused trading, signing and related activity as contributors and node operators reviewed the affected routes and network controls.
THORChain said the network automatically detected abnormal behavior and halted signing activity to prevent further outbound transfers. The response also included instructions for node operators to review infrastructure, hosts, key management systems and operational security for signs of compromise or irregular activity. The protocol said its investigation was continuing, and a final technical accounting of the incident had not been released.
Vault breach contained
The affected vault was part of a sharded structure, limiting the incident to a portion of the protocol’s vault system rather than all network vaults. THORChain said no user funds or liquidity provider positions were lost, according to its initial update. That distinction was central to the incident because the reported loss related to protocol-owned funds, while user-controlled wallets and external holdings were not described as compromised.
The halt also triggered warnings about fraudulent recovery claims circulating online after the breach. THORChain said it was not running any refund, airdrop or compensation program and told users to rely only on official communication channels. The warning followed reports of fake accounts and websites attempting to exploit confusion around the incident by promoting false reimbursement or recovery offers tied to the theft.
RUNE token reacts
RUNE, the native token associated with THORChain, fell sharply after the trading halt and exploit reports, with market trackers showing double digit declines during the initial reaction. The drop reflected the direct link between the token and network activity because THORChain’s operations depend on validators, liquidity pools and network security controls. Trading activity around RUNE remained closely watched as the protocol’s technical teams worked through the incident response.
The breach added to wider scrutiny of decentralized finance infrastructure that enables asset transfers across multiple blockchains without using wrapped tokens or centralized intermediaries. THORChain’s case drew attention because the protocol is designed to support native cross-chain swaps and had promoted a model intended to reduce reliance on custodial exchanges. The confirmed facts remain limited to the vault compromise, protocol-owned loss, network halt and ongoing technical review.