Thorchain suffered an exploit Friday, with estimated losses between $10 million and $11 million. Attackers used vault churn address poisoning to redirect funds during a routine migration process across multiple blockchains, according to onchain investigator ZachXBT, who first flagged the incident via his Telegram channel.
How the Attack Worked
The exploit targeted Thorchain's vault churn mechanism — a periodic process where the network rotates validator nodes and associated addresses. By poisoning the new vault's address during the migration, attackers tricked the protocol into sending funds to their own wallet instead of the legitimate destination. The multi-chain nature of the attack meant funds moved across several blockchains before the team could react.
Loss Estimates Revised Upward
Initial estimates pinned the damage at just over $7.4 million. Those numbers climbed quickly as more affected transactions came to light. The final range now sits between $10 million and $11 million. That's a significant hit for a protocol that prides itself on cross-chain liquidity, though it's not the first time Thorchain has dealt with an exploit.
ZachXBT Spots the Problem
ZachXBT, a well-known onchain investigator, spotted the suspicious activity and posted an alert on Telegram before the broader community caught on. His callout likely helped limit further damage by giving validators a heads-up to pause the migration. As of Friday evening, Thorchain hadn't issued a public statement, but the team is presumably working on a fix and assessing which funds can be recovered.
The incident is a reminder that even routine infrastructure upgrades — like vault rotations — can open windows for skilled attackers when the code isn't battle-tested against address poisoning. The revised loss figure also suggests the initial damage assessment may have missed several transactions, a detail that might prompt tighter monitoring during future migrations.
