$RUNE Holders Hit Hard as THORChain Launches Recovery Portal After $10M Exploit

THORChain got hit. A $10 million exploit tore through the platform, leaving users across four separate blockchain networks scrambling to figure out what happened to their funds.

The damage wasn’t contained to one chain, which made the whole situation messier than a typical DeFi breach. Four networks. Unauthorized transactions. Real money gone. THORChain’s team moved fast after the attack and stood up a recovery portal — a dedicated tool that lets affected users revoke the malicious approvals that made the exploit possible in the first place, and then work through the process of claiming refunds on the funds they lost. It’s not a perfect fix, but it’s a concrete one, and in the chaotic hours after a major exploit, concrete matters.

The scope here is worth sitting with for a second.

How the Exploit Worked

Four blockchain networks affected simultaneously. That’s not a simple bug or a single smart contract gone wrong — that kind of reach takes a sophisticated attack, one that found a way to compromise user funds at a level that crossed chain boundaries. Users saw unauthorized transactions drain their balances. The losses were real and, for some, probably significant. THORChain hasn’t released a detailed post-mortem on the technical mechanics of how the attacker pulled it off, and the company hasn’t commented publicly on what specific security gaps were exploited.

That silence is frustrating. It’s also pretty common in the immediate aftermath of a DeFi breach, when teams are still pulling logs and figuring out the full blast radius before they say anything official.

What THORChain did say, in effect, is: here’s the portal, here’s how to use it, go revoke your approvals and start your refund claim. Users are being walked through the steps. The guidance is there. Whether that’s enough for people who just watched their funds disappear is a different question entirely.

What the Recovery Portal Actually Does

The portal has one core job — let users cancel any malicious authorizations that got exploited during the attack. In DeFi, token approvals are basically permissions you give a smart contract to move your funds. When an attacker gets access to those approvals, they can drain wallets without needing your private key. Revoking those permissions cuts off any further exposure. It doesn’t automatically recover what’s already gone, but it stops the bleeding.

More context: THORChain Halts Trading After Suspected $10M Exploit Hits Multiple Chains

The refund piece is separate. Affected users are being guided through a process to reclaim lost funds, though THORChain hasn’t spelled out exactly how that restitution gets funded or on what timeline. No details on whether it comes from a treasury reserve, an insurance mechanism, or some other source. Unclear yet. Users waiting on that answer probably aren’t thrilled about the ambiguity.

DeFi platforms have faced this kind of situation before, and the response playbook is usually the same: move fast, launch a recovery tool, communicate through official channels, and promise a full review. The full review part is where things often get quiet. THORChain hasn’t announced any changes to its security protocols, hasn’t said whether audits are being expedited, and hasn’t given users a roadmap for what happens if the refund process hits complications.

That’s not unique to THORChain. It’s kind of the norm across the space. But it doesn’t make it easier for the people waiting.

Cross-chain platforms carry a specific kind of risk that single-chain protocols don’t. Every additional network in the stack is another surface area for attackers to probe. THORChain built its whole model around cross-chain liquidity — it’s the point of the thing — but that design choice comes with tradeoffs that this exploit made very visible. Four networks hit at once isn’t a coincidence. It’s probably a feature of how the attack was structured.

More context: House Committee Pushes Trump to Staff CFTC Before CLARITY Act Stalls Crypto Oversight

Users who were affected are being told to act fast. Use the portal. Revoke the approvals. Start the refund process. Don’t wait.

THORChain says it’s focused on transparency and keeping users informed through official channels during the recovery phase. No timeline has been given for when the refund process wraps up, no figures on how many users were impacted across those four networks, and no word yet on what comes next from a security standpoint.

The portal is live. The losses hit $10 million. And four blockchain networks worth of users are now working through a recovery process with more questions than answers.