THORChain returned to full operations on June 23, 2026, ending a 39-day halt triggered by a $10.7 million exploit, and confirmed that native Monero (XMR) swaps are working end-to-end in testing.
The restart restored signing, node churning, liquidity provider actions, and swaps. Remaining losses will be covered through protocol-owned liquidity with no new RUNE issuance.
Monero is the sharper part of the restart. Its privacy design makes it incompatible with most wrapped-token bridges, which depend on transparent on-chain state. THORChain holds native assets in threshold-signature vaults, allowing it to route assets without wrapping them.
The team said XMR swaps are passing end-to-end tests. Zcash (ZEC) support is also on the roadmap, with ZEC vault support expected within two weeks of the restart.
The halt began on May 15, 2026, after an attacker exploited a flaw in THORChain's GG20 threshold signature scheme. A freshly churned malicious node operator reconstructed the private key for one of six Asgard vaults through progressive key material leakage, draining approximately $10.7 million while five other vaults stayed intact.
Recovery moved in stages: an emergency patch on May 20, a vulnerability fix on June 9, and a stability update on June 11. THORChain did not reopen until June 23.
Two measures governed the return. KeyVerify independently checked every node's keyshare before functions were restored. A full vault migration retired all legacy vaults and replaced them with a new set.
Upgrade v3.19.0 also added compromised-vault quarantine logic so a future isolated breach cannot force another full network shutdown.
The open question is whether liquidity returns. TVL stood at $27.86 million on June 23 with daily DEX volume of $2.09 million. LP positions and user funds were preserved through the halt, but depth has to rebuild after 39 days offline.
A bounty program for the attacker remains open. THORChain has not disclosed whether any recovered funds have been returned.