THORChain suffered a suspected multichain exploit on May 15, 2026, forcing an emergency halt after an attacker drained more than $10.7 million from one of its Asgard vaults. The incident triggered multiple controls — Halt All Trading, Halt Signing, Halt Chain Global, and Halt Churning — as the team scrambled to contain the damage. Initial estimates pegged the loss at $7.4 million, but that figure quickly climbed.
How the exploit unfolded
The compromised vault was one of six Asgard vaults, and initial indications suggested individual swaps were unaffected. But the attack vector hit Bitcoin, Ethereum, BSC, and Base directly. An independent estimate put the total closer to $10 million, including 36.75 BTC and roughly $7 million spread across BNB Chain, Ethereum, and Base. The revised official tally settled above $10.7 million.
What TRM Labs found
Blockchain analytics firm TRM Labs assessed the attacker drained more than $11 million across at least nine chains. Beyond the initial four, the haul included Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. The breadth of the attack underscores the risk that comes with cross-chain routing — and why emergency controls exist in the first place.
The cost of DeFi hacks in 2026
The incident arrives amid a year that has already seen its share of exploits. According to Immunefi's 2026 security findings, the average direct theft from hacks stands at $25 million, with a median loss of $2.2 million. The top five hacks from 2024 and 2025 accounted for 62% of all stolen funds. Tokens that get hacked tend to bleed value — the median six-month decline for a compromised token is 61%. THORChain's native RUNE token has not been immune to the broader market jitters, though the exact price impact is still settling.
What happens next
THORChain's operations remain suspended as the team investigates the root cause and works to restore the network safely. The episode tests the trust that cross-chain protocols rely on — and whether a single vault compromise can shake confidence in the broader DeFi infrastructure. Users are watching for a post-mortem and a timeline for re-opening the chain.
