A security research group that uncovered a critical flaw in the THORChain network says it will publish exploit code for unpatched vulnerabilities within days, after the project patched the reported issue without offering credit or a reward. The group, known as V12, disclosed the vulnerability to THORChain but now argues that the response — fixing the bug while simultaneously killing the bug bounty program — left them with no alternative.
The vulnerability and the patch
V12 notified THORChain of a critical vulnerability that could have put user funds at risk on the cross-chain liquidity protocol. The team describes the flaw as severe enough to warrant immediate attention. THORChain developers did deploy a fix, closing the hole. But according to V12, the patch arrived without any acknowledgment of the finders or the promised compensation from the project's bug bounty program.
Neither THORChain's leadership nor its core developers have publicly commented on the discrepancy. The project's typical practice had been to reward security researchers who responsibly report bugs, but that process appears to have been scrapped in this case.
Bug bounty program shelved
The more consequential decision came shortly after the patch: THORChain retired its bug bounty program outright, labeling it 'permanently retired' in project communications. That move effectively closed the door on any potential payment to V12 and signaled a broader shift in the project's approach to external security research.
Bug bounty programs are common in crypto and blockchain projects, offering financial incentives for white-hat hackers to find and report flaws before malicious actors can exploit them. Retiring a program midstream — especially immediately after receiving a critical report — is unusual and has drawn criticism from parts of the security community. Without a functioning bounty, researchers who discover future vulnerabilities have no clear channel for responsible disclosure or expectation of reward.
Planned exploit release
V12 now says it will publicly release exploit code targeting THORChain vulnerabilities that remain unpatched. The group did not specify which flaws those are or how many exist, but warned that the code would arrive in the coming days. The announcement raises the stakes for THORChain users and validators, who may face active exploits if the project does not address the remaining issues in time.
The exact timeline is unclear. V12 has not set a specific date for the release, saying only that it will happen soon. THORChain has not issued a statement about the planned disclosure or indicated whether it intends to patch the other vulnerabilities before the code goes public.
The situation leaves users in a bind: either THORChain moves quickly to fix every remaining hole or V12 follows through on its threat, potentially triggering losses on the network. For now, the project's decision to retire its bounty program — and the missing credit that sparked the dispute — hangs over what happens next.
