$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.
Summary
A small logic bug in the Ethereum Bifröst caused a carefully-crafted ERC-20 to be mis-interpreted as ETH.ETH and swapped into the network.
Total funds stolen:
- - 9352,4874282 PERP
- - 1.43974743 YFI
- - 2437.936 SUSHI
- - 10.615 ETH
- Total value: ~$139k
The bug was that all non-ETH assets were being initialised with common.ETHAsset (ETH), but if the symbol returned “ETH”, it would skip. This means that it was being reported as ETH.ETH and not ETH.ETH-0xaddress.
The fix is to initialise the assets with common.EmptyAsset and return before handling ERC20s. This was merged.
Temporary Protection
The other issue that had to be dealt with was there were several pending attack transactions that had not yet been observed by THORChain, since the attacker continued their transactions after the network was halted. If the network was brought back online prior to processing the update, these transactions would have been processed, which would have been silly and a waste of funds. Logic was added to ignore these specific transactions, coming from specific addresses.
THORChain is run by consensus of the super-majority. If the super-majority choose to run code that can protect their capital (and LP’s capital, by consequence) from obvious attacks, then they will. LPs opt to put their capital in a network with a fixed ruleset — if the ruleset changes unfavourably via updates, then LPs can withdraw. Nodes choose to run code, if they are presented with an update they don’t agree with, they can not update (blocking the upgrade until they are churned due age) or LEAVE the network and not run it at all. Alternatively they can present a counter-update to the community that restores the rules they agree with.
Timeline
Five transactions were made:
14.9 ETHOS for PERP
But 0 ETH in transaction:
https://etherscan.io/tx/0x966CB083D116DA2E0D1D115A99381DB2200BD39FF75D38CFAC DC17B1368F1159
14.1 ETHOS for PERP
https://etherscan.io/tx/0xB74F4860E24F04E9E32ACE36735285D518A8A36BF8E8DCC868D7 508BB60947C9
9.151 ETHOS for SUSHI
https://etherscan.io/tx/0xB56DF76D4BF1384DC2744692D744DE44EFADCEC7226C6255532 A0D1EBDB5ABCC
12.014 ETHOS for YFI
https://etherscan.io/tx/0x7CF72852118597E6FF65226A17EAE5A078B6DE7AF791A6324906 D9D456F2B1B6
11.872 ETHOS for YFI
https://etherscan.io/tx/0x514C90C817C270663513E91492D77E9F7282598F5AFC3711800E 311B6E00BE99
When they were approving ETH for trading, trading was halted. Then they tried to do one more transaction after trading was halted:
https://etherscan.io/tx/0xAE3FAB1E5CFAE0A04F25155EC9047CF0F99DF4DDF7DDA1F1351E D4720FA3C030
For which they got a refund of REAL ETH.
Discovery and Update
0 mins : Unusual transaction reported from users
5 mins : DEVs acknowledge it and let node operators know
20 mins : Nodes stop the network, super majority needed.
2h : Software fix
4h : Super majority of nodes updated / fixed
6h : Resume swaps
Recovery
Restore solvency to the vaults (funded by the Treasury)
Refund Node Operator Bonds that were slashed when the network was brought partially back online and didn’t have full consensus
Pay the Bug Bounty to the reporting user
The community are looking for 30 days of no major bugs before mainnet. This classifies as a major bug, so the clocks are reset.
TrailOfBits Audit
There is a scheduled TrailOfBits audit in 2 weeks, which will do a full code-review. THORChain team will continue finding and scheduling audits, especially since the code is being upgraded to service THORFi, which adds to the complexity theatre.
In addition the team will more prominently establish a bug bounty for finding and reporting bugs. Attackers will always have eyes on the code looking for loop holes. THORChain community can also incentivise this behaviour but favourably for the network.
Community
To keep up to date, please monitor community channels, particularly Telegram and Twitter:
- Twitter: https://twitter.com/thorchain_org
- Telegram Community: https://t.me/thorchain_org
- Telegram Announcements: https://t.me/thorchain
- Reddit: https://reddit.com/r/thorchain
- Gitlab (primary): https://gitlab.com/thorchain
- Github (secondary): https://github.com/thorchain
- Medium: https://medium.com/thorchain
Related articles
![THORChain Community Podcast #207 thumbnail featuring Chad Barraford, Kenton and Patriotsounds discussing the network restart timeline, chain integrations and POL fee split.]()
Jun. 11, 2026
THORChain Eyes Trading by Midweek: Chad Maps the Final Restart Steps, With Zcash and Monero Queued
- Podcast
![THORChain Podcast #206 thumbnail.]()
Jun. 6, 2026
The Stablecoin That Survived a 95% Crash: Zephyr Comes to THORChain
- Podcast
![THORChain Podcast #205 thumbnail featuring co-founder Chad Barraford.]()
Jun. 4, 2026
THORChain Still Paused, Monero Targeted for Month-End, and the Limit Order Debate
- Podcast
![THORChain Podcast #204 thumbnail, presented by Raynalytics]()
May. 30, 2026
More Than a Block Explorer: Deving.zone Turns THORChain Into a Living Map
- Podcast
![THORChain Podcast #203 thumbnail featuring co-founder Chad Barraford discussing the v3.19 protocol update, Soda Labs, and vault hardening, presented by Raynalytics]()
May. 29, 2026
THORChain Path to Restart: v3.19, Soda Labs, and Hardening the Vaults
- Podcast
![THORChain May 15, 2026 Exploit Report #1]()
May. 20, 2026
THORChain Exploit Report #1
![]()
May. 14, 2026
Explanation of the 6 Preset Strategies to Help Create Your CCL Strategy
![]()
May. 13, 2026
The Casino Problem: When Crypto Forgets What It Was Built For
![]()
May. 12, 2026
THORChain Protocol Upgrade v3.18
![]()
May. 11, 2026
Dash is coming to THORChain
![]()
May. 8, 2026
Monero Merged, Reserve Burn, Marketing Update | Podcast #196
![]()
May. 7, 2026
Marketing Update: Feb - March 2026
![]()
May. 5, 2026
RUJI Staking Rewards Are Live, Earn Real Protocol Revenue on Rujira
![]()
May. 4, 2026
Bior Labs Cards Are Imminent: Bill Pay, $10K Virtual Cards and a Stablecoin Alpha
![]()
May. 2, 2026
Live from Bitcoin Vegas: 2 bps Stable Swaps, v3.18 Next Week and the Affiliate Revshare Plan
