THORChain silently patched a critical loss-of-funds bug reported by V12 Security. Researchers now plan to disclose additional vulnerabilities.
Author: Akshat Thakur
June 1, 2026 – Security firm V12 Security publicly disclosed a critical loss-of-funds vulnerability in THORChain on Sunday. The protocol had silently patched the bug and told the researchers its bounty program was permanently retired.
High Signal Summary For A Quick Glance
Essential
@only01Essential
@v12sec @THORChain This is why I don't think whitehats are to blame for all the many hacks happening right now. We don't get rightly compensated for our work. This is just really sad to see
We reported a critical loss of funds bug to @Thorchain (32M TVL, 150M FDV) They silently patched it and told us their bug bounty program is permanently retired. We have more Thorchain chain halt DoS vulns. We intend to release them (open disclosure) in the coming few days https://t.co/R2jyej5Pnh
01:31 PM·Jun 1, 2026
ZachXBT
@zachxbt
@v12sec @THORChain You would figure after all of the exploits they had security would be taken more seriously. Yet THORChain continues to set the bar lower for teams….
We reported a critical loss of funds bug to @Thorchain (32M TVL, 150M FDV) They silently patched it and told us their bug bounty program is permanently retired. We have more Thorchain chain halt DoS vulns. We intend to release them (open disclosure) in the coming few days https://t.co/R2jyej5Pnh
01:12 PM·Jun 1, 2026
kosta
@im_kosta
@v12sec @bytes032 @THORChain It’s not the first time they do so, I had the same case in 2024
We reported a critical loss of funds bug to @Thorchain (32M TVL, 150M FDV) They silently patched it and told us their bug bounty program is permanently retired. We have more Thorchain chain halt DoS vulns. We intend to release them (open disclosure) in the coming few days https://t.co/R2jyej5Pnh
12:26 PM·Jun 1, 2026
High attention and emotional sentiment detected.
V12 Security, led by researcher William Bowling, posted the disclosure on X at 10:57 UTC. The firm also warned it holds additional chain-halt DoS vulnerabilities for open disclosure in coming days.
No funds were lost from this THORChain critical bug. The team patched the issue before V12 went public. Still, the disclosure raises serious questions about how DeFi protocols treat security researchers.
V12 reported the bug privately to THORChain on April 28, 2026. The firm called it an “attestation-finality-bypass” flaw. It also published a full proof-of-concept on GitHub.
In a cross-chain DEX like THORChain, inbound deposits must reach a confirmation threshold before swaps execute. This prevents attackers from depositing on one chain and reversing the transaction after receiving funds on another.
The THORChain critical bug allowed a single malicious validator to modify unsigned metadata in a transaction observation. Acting as the CometBFT block proposer, the attacker could alter the FinaliseHeight field in an ObservedTx. This would fake the confirmation status of an inbound deposit.
Once the protocol believed the deposit was confirmed, it would execute the swap from its liquidity pools. The attacker could then double-spend the source-chain deposit. On Bitcoin, for example, this could drain pool funds.
THORChain acknowledged the report and merged a fix via GitLab Merge Request 4820. The fix landed in the private repository by May 28, 2026. The team did not announce the patch publicly.
When V12 asked about compensation, THORChain reportedly told V12 that it had permanently retired its bounty program. According to THORChain’s contributors page, the program ended in March 2026 alongside the v3.16.0 release.
THORChain originally used Immunefi for bug bounties. It later moved to a self-hosted program before retiring bounties entirely. As of June 1, the protocol has issued no official statement on V12’s disclosure.
V12 stated on X that it holds additional THORChain vulnerabilities. These reportedly include chain-halt DoS bugs that could trigger the network’s emergency pause mechanism.
“We have more Thorchain chain halt DoS vulns,” V12 wrote. “We intend to release them (open disclosure) in the coming few days.”
Open disclosure means publishing PoC exploits publicly without an embargo period. This contrasts with responsible disclosure, where researchers give the team time to patch first. V12 chose the open path after receiving no bounty.
Timeline of the V12 Security THORChain Vulnerability Disclosure
V12 Security autonomously discovers a critical loss-of-funds vulnerability affecting THORChain. The flaw, later described as an attestation-finality-bypass, could have enabled premature transaction finalization and unauthorized fund movements. The exact discovery date was not publicly disclosed.
V12 Security privately reports the issue to the THORChain team via WhatsApp. The disclosure package includes a full technical report, proof-of-concept files, code diffs, and documentation detailing how the vulnerability could bypass inbound transaction confirmation requirements and potentially result in loss of funds.
THORChain reviews the vulnerability internally and develops a fix through a private security process. The remediation work remains undisclosed publicly while engineers prepare and test the patch.
THORChain officially retires its bug bounty program. This decision is not widely highlighted publicly at the time but later becomes relevant during discussions with V12 regarding potential vulnerability rewards.
THORChain informs V12 Security that the vulnerability has been successfully patched in the private repository and merged through private GitLab merge request MR 4820. This marks the completion of remediation for the reported loss-of-funds issue.
During a follow-up WhatsApp exchange, THORChain informs V12 that no active bug bounty program exists. The team states that the bounty program had been discontinued previously and is no longer available for submitted reports.
V12 Security publishes a public disclosure thread detailing the vulnerability, reporting timeline, remediation process, and communications with THORChain. Screenshots, technical evidence, and a proof-of-concept repository are released alongside the announcement.
V12 announces plans to publicly disclose additional chain-halting denial-of-service vulnerabilities affecting THORChain in the coming days. The team states that further technical details and proof-of-concept materials will be released through its public repository.
This is not the first THORChain critical bug to surface. The protocol suffered two exploits in July 2021, each costing roughly $5 million.
On May 15, 2026, a malicious node exploited a flaw in THORChain’s GG20 threshold signature scheme. That attack drained $10.7 million from protocol vaults. Trading remains paused since that incident.
THORChain’s TVL currently sits at $30 million, according to DefiLlama. That figure is down 25.84% over the past 30 days. RUNE trades at $0.4178 with a fully diluted valuation of $150.28 million, per CoinGecko.
On X, sentiment skews heavily against THORChain’s security practices. On-chain investigator ZachXBT commented, “You would figure after all of the exploits they had security would be taken more seriously.”
Other researchers echoed similar frustrations. One user, @im_kosta, claimed they had the same experience in 2024 after reporting a vulnerability. Another, @only01Essential, wrote, “This is why I don’t think whitehats are to blame… really sad to see.”
Some community members did question V12’s motives. They noted V12 reported the bug in April, a month after the bounty ended. Still, no coordinated defense from THORChain supporters has emerged.
THORChain is not alone in cutting security incentives. Several DeFi protocols have retired or reduced bounty programs since the 2024-2025 exploit wave. This trend alarms researchers who depend on bounties for compensation.
Without bounty programs, researchers face a difficult choice. They can disclose for free, sell exploits on gray markets, or go public to build reputation. V12 chose the third option.
V12 Security has built credibility through Linux kernel disclosures in May 2026. These include DirtyCBC, DirtyDecrypt, and Fragnesia (CVE-2026-46300). The firm specializes in agentic-AI-assisted vulnerability discovery.
THORChain still has not resumed trading after the May 15 exploit. V12’s additional DoS disclosures add more pressure on the protocol’s security posture.
The core question is simple. If a protocol retires its bounty, why would researchers report privately? V12’s answer appears to be: they will not.
The open disclosures may be just beginning.
This article is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
THORChain Silently Patches Critical Bug After Bounty Retirement
Qubic Neuraxon Accepted at AGI-26 After Two Earlier Wins
Bitwise BHYP ETF Stakes $55M in HYPE After Record Inflows
Cardano Summit 2026 Canceled After Treasury Vote Fails
THORChain Silently Patches Critical Bug After Bounty Retirement
Qubic Neuraxon Accepted at AGI-26 After Two Earlier Wins
Bitwise BHYP ETF Stakes $55M in HYPE After Record Inflows
Cardano Summit 2026 Canceled After Treasury Vote Fails
THORChain
$0.41
