THORChain has fully resumed trading, swaps and liquidity provision after a 39-day recovery period following a major security breach. The protocol had been halted in mid-May after an exploit drained approximately $10.7 million from one of its vaults.
The restart marks the end of a staged recovery process that focused on vault safety, keyshare verification and new infrastructure migration. THORChain said core network activity, including signing and user withdrawals, is now live again.
Trading is live again on THORChain.
After more than a month offline, the network is fully back. Signing, churning, secured and trade assets, LP actions, and swaps are all up and running. The world's leading Bitcoin DEX is open for business once again.
This recovery was never…
— THORChain (@THORChain) June 23, 2026
Vault Migration Anchors the Recovery
The return to service follows several weeks of remediation after the May 15 incident. THORChain’s own exploit report said the attacker drained about $10.7 million from a single vault, while the remaining vaults were not affected.
The protocol attributed the incident to a vulnerability in its GG20 threshold-signature implementation. According to THORChain, the attacker was a newly churned node operator who exploited the signing setup and bypassed the normal GG20 signing ceremony after reconstructing the vault key.
During the recovery period, the network moved through security checks intended to confirm that existing vaults and node keyshares were safe. THORChain also migrated assets away from legacy vaults into new vault infrastructure, making the vault transition the key operational milestone before reopening.
That process was slower than a simple restart because THORChain had to restore confidence in both its signing layer and its cross-chain settlement workflow. For a protocol built around native swaps, signing safety is the core infrastructure risk.
Swaps Return as New Assets Wait
With the network live again, users can access native cross-chain swaps and liquidity operations across supported assets. That restores THORChain’s main utility as a liquidity hub for moving value between chains without wrapped assets.
The next phase is expected to focus on additional integrations. THORChain has signaled plans for Zcash and Monero support, alongside future expansion to Bittensor’s TAO token, though the exact rollout will depend on continued security checks and network readiness.
The restart does not erase the scrutiny created by the exploit. THORChain remains under pressure to prove that the new vault setup and verification process can withstand renewed activity, especially as cross-chain protocols continue to attract sophisticated attackers.
The episode also reinforces a broader market lesson: cross-chain liquidity systems depend not only on smart contract logic, but also on validator coordination, threshold signing and vault operational security.
For now, the confirmed development is that THORChain has restored its core network after the May exploit. The next meaningful tests will be sustained swap volume, safe withdrawals, additional asset integrations and whether the new vault architecture prevents a repeat failure.
