THORChain is back online. The decentralized cross-chain liquidity protocol resumed all network activity more than a month after a $10.7 million exploit forced it offline. Developers say they’ve closed the vulnerabilities that allowed the attack and rolled out multiple security upgrades in the process.
Why the network went dark
In late June, attackers exploited a flaw in THORChain’s smart contracts, draining about $10.7 million in various cryptocurrencies. The team halted the network almost immediately to prevent further losses. At the time, they described the exploit as a “targeted attack” on a specific code component. Investigators later traced the root cause to a vulnerability in the protocol’s vault logic — the system that manages liquidity pools and asset swaps.
What’s in the patch
The fix wasn’t a simple line edit. Developers performed a full vault migration, moving all remaining funds to new, hardened contracts. Alongside that, they deployed a series of security upgrades: stricter validation checks, improved access controls, and more comprehensive auditing hooks. THORChain’s own documentation notes that the migration “addresses the specific vulnerability that led to the exploit” and adds “additional layers of protection” against similar attacks in the future.
Timeline of a slow restart
Unlike some DeFi platforms that reboot within days, THORChain took over a month. The team said they wanted to be “deliberate” rather than rushed. They conducted multiple internal audits and brought in external security firms to review the new code. Validators — the nodes that run the network — also had to update their software and confirm the vault migration before the chain could resume. That process dragged on into early August, with the final green light coming late last week.
What users should expect now
The network is fully functional again, meaning cross-chain swaps and liquidity provision are live. THORChain warned, however, that users may see a brief delay in transaction confirmation as the system stabilizes post-migration. The team also plans to release a post-mortem report in the coming days, detailing the exploit chain and the exact upgrades made. For now, the protocol is operating under what it calls “enhanced security posture” — code that’s been tested, but not yet battle-hardened in the wild.
