On May 15, 2026, the cross-chain liquidity protocol THORChain confirmed that one of its Asgard vaults was hacked, resulting in a loss of approximately $10.7 million, involving assets across multiple chains such as Bitcoin, Ethereum, BNB Chain, and Base.

After the incident, the network automatically detected abnormal signatures and urgently paused all network transactions and signing activities. After successfully intercepting subsequent transfers, the official statement indicated that only the protocol's own funds were affected, and user assets and exchange transactions were not impacted. The related nodes triggered RUNE staking penalties due to unauthorized outbound activity, and Churn rotation and new node connections have also been suspended. The team is investigating the root cause and advising users to check authorizations, node operators to review infrastructure and key management.

On-chain tracking shows that the attacker’s associated wallets have moved funds over the past few weeks through cross-chain platforms like Monero and Hyperliquid, and have prepared by staking RUNE via nodes. The fund flow before and after the attack is complex and demonstrates strong mixing and cross-chain operation capabilities; the stolen funds have not yet been moved on a large scale. Additional analysis indicates that such multi-chain synchronized outflows may point to common vulnerabilities in cross-chain routing layers rather than a single smart contract flaw.

Following the news, THORChain’s native token RUNE once dropped over 12%, falling below $0.50, and market sentiment was under pressure. This incident also highlights the high operational and security demands on cross-chain vaults and signing systems (such as TSS/MPC-related processes) in terms of key management, operational procedures, and emergency circuit breakers. Future focus will be on vulnerability identification, patching, and conditions for network security restart.