THORChain has temporarily halted trading after detecting abnormal activity linked to a compromised Asgard vault. The protocol confirmed the incident through an official announcement, stating that initial signs suggest user funds are safe while protocol owned funds appear to be affected.

According to THORChain, one of its six Asgard vaults appears to have been compromised. Current estimates place the loss at approximately $10.7 million. The team said the network automatically detected suspicious behavior, halted signing activity, & prevented further outbound transactions.

• THORChain Halts Trading After Vault Compromise
• What THORChain Says Happened
• Why The Incident Matters For Cross Chain DeFi
• What Comes Next For THORChain

THORChain Halts Trading After Vault Compromise

The immediate halt is significant because THORChain operates as a decentralized cross chain liquidity protocol, allowing users to swap native assets across different networks without relying on wrapped tokens or centralized intermediaries. In such a system, vault security is central to protocol operations because vaults hold assets that support cross chain swaps.

The team said the investigation is still ongoing. Contributors are working to identify the root cause, review affected infrastructure, & coordinate remediation steps before normal trading activity resumes.

For users, the most important early update is that THORChain has stated individual user swaps do not appear to have been impacted. However, trading remains halted while the protocol investigates the incident & stabilizes network operations.

What THORChain Says Happened

THORChain’s announcement says the network identified abnormal behavior automatically. Once detected, signing activity was halted. This means the protocol stopped the process required to authorize further outbound transactions from vaults.

The compromised vault was reportedly one of six Asgard vaults. Asgard vaults are core parts of THORChain’s infrastructure because they custody assets used for cross chain liquidity. If a vault is compromised, unauthorized outbound movements can create losses for the protocol.

THORChain said node operators securing the affected vault were subject to slashing of bonded RUNE as a result of unauthorized outbound transactions. This is part of the protocol’s economic security design, where node operators bond RUNE to participate in network security. When failure or compromise occurs, bonded capital can be penalized.

The team has also paused churn activity. In THORChain, churn refers to the process of rotating node operators & vault membership over time. Churn helps maintain decentralization & security, but during an active investigation, pausing churn can reduce complexity while developers assess what happened.

The protocol also said onboarding additional chains & operations requiring churn will be delayed until the network is stabilized. This means expansion related activities may slow down while the team prioritizes investigation, containment, & recovery.

THORChain has asked all node operators to immediately review their infrastructure, hosts, key management systems, & operational security for signs of compromise or abnormal behavior. Affected operators have also been asked to provide Bifrost logs to the development team for analysis.