THORChain Vault $10M Drain: Understanding the Exploit

UPDATE!

The video and post below were made before THORChain’s official report and are based on independent community investigations using only publicly available information. We now have more details suggesting the exploit targeted THORChain’s MPC infrastructure, which became possible because they never updated a TSS library (the MPC signature scheme) in the THORChain source code—even though the vulnerabilities in it had already been fixed earlier.

THORChain@THORChain

THORChain incident update #1 THORChain contributors shared a new update in the dev discord regarding the ongoing incident. TLDR - Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor - The leading theory is an

7:54 PM · May 15, 2026 · 75.8K Views

---

41 Replies · 43 Reposts · 270 Likes

THORChain had ~$10M drained from one of its vaults.

Let's take a look at what happened, the exploit, and the interesting timeline of another vault churn/migration security issue discussed in THORChain's gitlab repository that I discovered earlier today and posted on X:

Vini B |「 thecoding 」@vinibarbosabr

interesting timeline here in THORChain's repo an old issue related to vault churn/migrations has been reactivated in the context of a vault `transferAllowance()` exploit on @THORChain + security issue raised in Jan 2023 by Mr. Smith + Son of Odin closes the issue in Jul 2023 +

1:57 PM · May 15, 2026 · 357 Views

---

1 Reply · 1 Repost · 13 Likes

THORChain is one of the most used decentralized cross-chain networks, which makes these events super relevant to the entire ecosystem!

According to /theoblivionsage's analysis, the attacker was able to get _vaultAllowance over a THORChain vault during what looked like a legit ERC20 vault migration.

Allowance was given via an Ethereum transaction caling the transferAllowance() function, allowing the attacker to sign outbound transactions from this THORChain vault they now control.

Think of it like a company that has a bank account.

This account has a password that allows to move the money out of the account, according to the company's needs.

The password is owned by one manager at a time, but it might change hands from time to time for security reasons or the company's protocol.

What happened here is that a thief managed to convince the company to make him the manager, getting access to the password during a routine migration -- and VUSH! they drained the account.

Interestingly, the attacker operated the vault as a legit validator for 2 days before executing the drain.

/banteg points the exploit to a commit (af46db22) from 6 days ago in the thornode repository by THORChain on gitlab: fix(common): sign full ObservedTx wrapper to prevent proposer forgery.

The rest is history.

I really hope the THORChain devs can come out stronger from this hack (and I believe they will) as the chain and RUNE are really important to crypto's decentralization as a living ecosystem, in general.

I'll keep monitoring the situation and posting about it.

Make sure to follow me on X and subscribe for free to [en] thecoding.substack or [pt-br] codigoaberto.substack.

---