THORChain has confirmed a $10M exploit and launched a recovery portal for affected users. The portal provides a self-custodial path to revoke malicious token approvals and submit refund claims, backed by a treasury-provisioned pool of equal size.
According to the foundation, the attack was detected at 02:14 UTC on May 11. Node operators flagged anomalous outbound transactions, and trading was paused within eight minutes. Attackers drained 36.75 BTC, worth around $3M, and approximately $7M in tokens across BNB Chain, Ethereum, and Base. The breach hit 12,847 wallets across four chains.
Affected users have 21 days to submit claims. The refund window closes on June 4; unclaimed allocation will roll over to the protocol's insurance fund.
The leading theory is that the attacker exploited a vulnerability in the GG20 threshold signature scheme (TSS) implementation, which allowed sensitive vault key material to leak gradually. A newly churned node is believed to be associated with the attack.
The Treasury is coordinating with Outrider Analytics and law enforcement to identify the attacker and recover funds where possible.