Aaluxx on the Exploit, the Churn, and Why Two DEXes Beat One

Raynalytics logo
Ray

2026-07-09 — 11 min read

    Podcast
THORChain Community Podcast #215 thumbnail featuring Aaluxx from Maya Protocol, Eric from Moca, Randy Bechtold and Patriotsounds discussing the exploit, v3.20 and the Monero launch timeline.

THORSday Community Podcast #215 ft. AaluxxMyth, EricOnchain, Randy_Bechtold & Patriotsounds | July 9, 2026 | Watch the full episode on YouTube

By Raynalytics

TL;DR

  • The churn is blocked until v3.20. A consensus issue tied to churning means the planned v3.19.4 point release is being folded into a major v3.20 release, with patches that must land in Thornode. Devs met to cut it, with an upgrade height hoped for the following week, which would re-enable Solana and churning.
  • Maya Protocol kept processing swaps through the entire exploit and the month-long THORChain pause. The same latent bug existed in Maya's code but was never exploited, and with a single verifiably healthy vault, Maya could keep swapping. Aaluxx's thesis: redundancy is the point.
  • The exploit came from three older bugs that were only dangerous chained together, each harmless alone. Aaluxx recounted an ice-cold morning fearing a private-repo patch had caused it (it had not), and framed AI as both a defensive and an offensive force multiplier from here.
  • A cleaner idea-to-ADR pipeline is being weighed: a stage upstream of ADRs that polishes proposals into concise, buildable "recipes," with ADR numbers eventually granted on-chain via node relay. The real bottleneck is review-and-deploy capacity, not writing code.
  • Integrations moved too: the dynamic fee model added ShapeShift alongside Symbiosis, a community tip put Robinhood Chain and Arbitrum back on the radar, $XMR nears a cautious shallow-liquidity launch with a Least Authority audit being quoted, and Moca's crypto point-of-sale heads into a quiet beta.

1. The Churn Is Waiting on v3.20

The most time-sensitive update is that THORChain still cannot churn. A developer flagged in the dev Discord that a consensus issue surfaces during churning, so the network has to reach v3.20 before it can rotate its vaults again.

That reshaped the release plan. The team had intended to ship v3.19.4 as a point release the day of the recording, but the newly required fixes have to go into Thornode itself, which forces a major release rather than a patch. Devs were meeting the next day to cut v3.20, with an upgrade height hoped for sometime the following week. Once it lands, the plan is to re-enable Solana and everything else that is paused, then re-enable churning.

Anything that had been slated for v3.19.4, including the Monero work, now rolls into v3.20. The new router V6 code is also ready and being deployed progressively. When trading and churning resume, users route through THORChain Swap as usual.

https://raynalytics.net/analytics/thorchain/liquidity

2. Inside the Exploit

Aaluxx, a Maya Protocol co-founder who has taken a senior role on THORChain since the exploit, walked through what actually happened. The root cause was not a single dramatic flaw. It was three older bugs that only became dangerous when chained together.

"It was three bugs that, chained together, were exploitable. Any one of them individually was harmless." (Aaluxx)

He described the morning it broke as ice-cold. The team had merged TSS patches from a private repo shortly before the churn that cost the funds, and his first fear was that they had dropped a commit in the merge and caused the exploit themselves. A quick check cleared it: the commit was in place, and the vulnerability traced to much older code that should have been fixed long ago. The team had caught a similar chained bug, a potential double-spend, only a couple of months earlier.

The detection method during the incident was elegant. By factoring one of the TSS setup's cryptographic parameters and looking for small prime numbers that should not be there, the team could tell whether a given vault had been poisoned. On THORChain, one of five vaults was compromised, which is why roughly 20% of TVL was drained.

Aaluxx was candid about the lessons: communicate earlier, be more proactive, move a little swifter. He also framed the moment honestly. AI now lets a small team explore a codebase from far more angles at once, which is a defensive advantage when it works for you and a serious risk when someone points it the other way. He expects a few more choppy months as the industry adjusts.

3. Redundancy Is the Point

On Maya Protocol, the same latent bug existed but had never been exploited. Because Maya ran a single vault the team could verify was healthy, it kept processing swaps straight through the incident. It did pause churning as a precaution, since a churn could have opened the same exploit path, but the swaps never stopped.

That mattered for real users. For the roughly month THORChain was paused, you still could not route a native $BTC to $ETH swap on THORChain, but you could on Maya.

"We need to fly the jet with two engines." (Aaluxx)

Aaluxx used that line to reject a familiar suggestion. After the exploit, and during last year's $TCY period, some people argued THORChain and Maya should simply merge: use $RUNE to buy out $CACAO, retire one chain, and run a single larger DEX. He granted it would have been a good business move and turned it down anyway, because consolidation does not serve the mission. Two permissionless DEXes that share the same maximalist ideals are a feature, not a cost to optimize away.

That cost is real. Redundancy is expensive by definition: you are paying for two engines instead of one. He drew the analogy to just-in-time inventory, which is highly efficient right up until a shock like COVID snaps the supply chain. Eric, joining from Moca, put the same point more bluntly: without redundancy, with both regular hosts out, Denny would have been recording the podcast alone.

4. How Maya and THORChain Share Developers

With Maya's team now carrying senior responsibility on THORChain, a listener asked how the two projects split developer time. Aaluxx laid out a deliberately autonomous structure. One lead developer anchors each chain, Zly on THORChain and a counterpart on Maya, each focused solely on their network. A co-founder splits review-and-deploy duties across both and writes only the code no one else can. Shared DevOps works because the two networks' backend services and APIs are largely homogenized, even though the node software differs.

THORChain carries more hands overall: Chad Barraford, StarSquid, other contributors, the Rujira group, ecosystem volunteers, and sometimes node operators. Developers are held to a two-to-one code-to-review ratio, so every piece of code written pulls at least two reviews in return.

Coordination is mostly public and mostly asynchronous. Most of it happens in the open on GitLab, where issues, pull requests, reviews, and priority labels live, with nodes signaling their wishes through node relay. There is a weekly call to keep everyone in tune, and during the exploit the team met hands-on every day, weekends included, for about three weeks.

The constraint is not what most people assume.

"Our limiting factor is not code creation, it's reviewing and deploying." (Aaluxx)

Only about three people currently have the expertise to review and deploy for THORChain, which is why simply adding more code, or more coders, does not automatically speed things up.

5. A Cleaner Path From Idea to ADR

The other governance thread of the night was that ADR numbering has gotten messy. With proposals now coming from many parties rather than being shepherded by Nine Realms, people have collided over ADR numbers and, in some cases, filed rough ideas as ADRs. A community question asked how to keep the permissionless ethos while adding just enough structure.

Aaluxx's answer was to separate the idea stage from the ADR stage. An ADR should already be polished: concise, technical, actionable, and buildable with the resources on hand. What is missing is a place upstream, a kind of battleground, where raw ideas get pressure-tested, some discarded and others sharpened, before they earn ADR status. He was clear this is about polish, not permission.

"Some people think 'I want pasta' is an ADR. That's not an ADR, that's a problem. Come to us with a recipe." (Aaluxx)

His own $TCY proposal was easy to act on, he noted, because his time inside Maya told him exactly what was programmable before he wrote it. Down the line, ADR numbers could be requested and granted on-chain through node relay, with the first node to approve assigning the next number, so ownership is unambiguous. Denny's takeaway was to write an ADR to reform the ADR process, which Aaluxx endorsed.

One clarification cut through the confusion: an ADR is not a gate for shipping code. Anyone can open issues and pull requests on GitLab today. An ADR is a temperature check that tells nodes whether they want devs to spend paid time on something. Boone offered the working model: when he wanted to build the Monero chain client, Chad handed him a checklist of what it would take to be viable, and Boone spent months meeting it, using AI tooling to help port the FROST threshold-signature work. Aaluxx's encouragement was blunt. He was a nobody on THORChain when he proposed $TCY and pushed it through, the dev fund shared by Chad, Marcel Harmann, and himself is not large, and none of that should stop anyone from contributing. Everyone has agency to use.

https://raynalytics.net/dashboards/dynamic-fees

6. Dynamic Fees Add ShapeShift, and a Tip Reopens Arbitrum

Randy's BD update led with the dynamic fee model, which is progressing well. ShapeShift has now joined Symbiosis as a live participant, and the data coming back is proving useful. Three or four more affiliates could be running within a week, pending Chad's availability to finish the integrations.

The more colorful update came from a cold DM. A community member reached out to Randy about Robinhood Chain, and a little research showed it is built on Arbitrum, a network THORChain had already been trying to reconnect with. That surfaced a two-birds opportunity: Randy has a call with the Arbitrum team next week about integration, and will ask for a warm introduction to Robinhood while he is at it.

Aaluxx offered a technical reality check. Arbitrum looks like an easy EVM integration but runs at roughly four blocks per second, which floods nodes with message volume much like Solana does. It took Maya about a year to make its own Arbitrum support fast and stable. The upside is that the hard work is largely done there, so THORChain's path is shorter.

7. Monero Nears, Zcash Waits

The Monero integration is moving toward a careful launch. Aaluxx is quoting an audit with Least Authority, which he rates among the top firms for privacy chains. There is precedent: Zcash funded a Least Authority audit of the Zcash-into-Maya integration that recently wrapped with no major bugs, only minor denial-of-service and quality-of-life fixes. The $XMR work has already been through chain-net testing and a developer's review.

True to THORChain's usual approach, the Monero pool will launch first with shallow, protocol-owned liquidity and small test swaps, so no user funds are exposed while the chain client settles.

"Break things, but break them small." (Aaluxx)

When it is ready, the $XMR pool will be reachable through THORChain Swap.

$ZEC on the THORChain side, by contrast, has no timeline. Aaluxx was clear the holdup is bandwidth, not technology: refunds, security work, bringing the network back online, and the Monero release are all competing for the same narrow door, and churns come first. As he put it, if everything is a priority, nothing is.

8. Moca Brings Crypto to the Register

Eric closed the guest updates with news from Moca, a crypto point-of-sale and payments network that settles through Maya Protocol, THORChain, and a few other backends. The goal is to let ordinary merchants accept crypto and settle in crypto without friction.

Moca is going live in a deliberately quiet beta, targeted for the Monday after next, with no marketing push at first. The plan is to open business accounts, gather feedback, run real test payments, and fix bugs before a louder launch. Beyond payments, the team wants to surface the "pay with THORChain" and "pay with Maya" rails, so real-world spending routes volume back to the protocols.

"The payment side of Maya is upon us." (Eric)

Builders who want early API access can reach Eric or the Moca account directly.

What to Watch

  • v3.20: Whether the major release is cut on schedule and delivers an upgrade height next week, re-enabling Solana and, most importantly, churning.
  • Monero: How the Least Authority audit progresses, and how cautiously the shallow-liquidity $XMR launch behaves once it goes live.
  • ADR reform: Whether a pre-ADR proposal stage and on-chain number allocation actually take shape over the next month or two.
  • Dynamic fees: Whether the next three or four affiliates come online, and what the ShapeShift and Symbiosis data reveals about the model.
  • Arbitrum and Robinhood: Whether next week's Arbitrum call and a possible Robinhood introduction turn into real integration work.
  • Moca: Whether the quiet point-of-sale beta converts into steady settlement volume for THORChain and Maya.

Raynalytics

More THORChain data, check out raynalytics.net

Follow Raynalytics for more Weekly Analytics and Podcast recaps.

Try the World’s Leading Bitcoin DEX

No sign up required. Easy to use.