$140k in funds were taken by a targeted exploit on a logic error in the ETH Bifrost. The network was halted by nodes and patched. Swaps were re-enabled 6 hours later.
Summary
A small logic bug in the Ethereum Bifröst caused a carefully-crafted ERC-20 to be mis-interpreted as ETH.ETH and swapped into the network.
Total funds stolen:
- - 9352,4874282 PERP
- - 1.43974743 YFI
- - 2437.936 SUSHI
- - 10.615 ETH
- Total value: ~$139k
The bug was that all non-ETH assets were being initialised with common.ETHAsset (ETH), but if the symbol returned “ETH”, it would skip. This means that it was being reported as ETH.ETH and not ETH.ETH-0xaddress.
The fix is to initialise the assets with common.EmptyAsset and return before handling ERC20s. This was merged.
Temporary Protection
The other issue that had to be dealt with was there were several pending attack transactions that had not yet been observed by THORChain, since the attacker continued their transactions after the network was halted. If the network was brought back online prior to processing the update, these transactions would have been processed, which would have been silly and a waste of funds. Logic was added to ignore these specific transactions, coming from specific addresses.
THORChain is run by consensus of the super-majority. If the super-majority choose to run code that can protect their capital (and LP’s capital, by consequence) from obvious attacks, then they will. LPs opt to put their capital in a network with a fixed ruleset — if the ruleset changes unfavourably via updates, then LPs can withdraw. Nodes choose to run code, if they are presented with an update they don’t agree with, they can not update (blocking the upgrade until they are churned due age) or LEAVE the network and not run it at all. Alternatively they can present a counter-update to the community that restores the rules they agree with.
Timeline
Five transactions were made:
14.9 ETHOS for PERP
But 0 ETH in transaction:
https://etherscan.io/tx/0x966CB083D116DA2E0D1D115A99381DB2200BD39FF75D38CFAC DC17B1368F1159
14.1 ETHOS for PERP
https://etherscan.io/tx/0xB74F4860E24F04E9E32ACE36735285D518A8A36BF8E8DCC868D7 508BB60947C9
9.151 ETHOS for SUSHI
https://etherscan.io/tx/0xB56DF76D4BF1384DC2744692D744DE44EFADCEC7226C6255532 A0D1EBDB5ABCC
12.014 ETHOS for YFI
https://etherscan.io/tx/0x7CF72852118597E6FF65226A17EAE5A078B6DE7AF791A6324906 D9D456F2B1B6
11.872 ETHOS for YFI
https://etherscan.io/tx/0x514C90C817C270663513E91492D77E9F7282598F5AFC3711800E 311B6E00BE99
When they were approving ETH for trading, trading was halted. Then they tried to do one more transaction after trading was halted:
https://etherscan.io/tx/0xAE3FAB1E5CFAE0A04F25155EC9047CF0F99DF4DDF7DDA1F1351E D4720FA3C030
For which they got a refund of REAL ETH.
Discovery and Update
0 mins : Unusual transaction reported from users
5 mins : DEVs acknowledge it and let node operators know
20 mins : Nodes stop the network, super majority needed.
2h : Software fix
4h : Super majority of nodes updated / fixed
6h : Resume swaps
Recovery
Restore solvency to the vaults (funded by the Treasury)
Refund Node Operator Bonds that were slashed when the network was brought partially back online and didn’t have full consensus
Pay the Bug Bounty to the reporting user
The community are looking for 30 days of no major bugs before mainnet. This classifies as a major bug, so the clocks are reset.
TrailOfBits Audit
There is a scheduled TrailOfBits audit in 2 weeks, which will do a full code-review. THORChain team will continue finding and scheduling audits, especially since the code is being upgraded to service THORFi, which adds to the complexity theatre.
In addition the team will more prominently establish a bug bounty for finding and reporting bugs. Attackers will always have eyes on the code looking for loop holes. THORChain community can also incentivise this behaviour but favourably for the network.
Community
To keep up to date, please monitor community channels, particularly Telegram and Twitter:
- Twitter: https://twitter.com/thorchain_org
- Telegram Community: https://t.me/thorchain_org
- Telegram Announcements: https://t.me/thorchain
- Reddit: https://reddit.com/r/thorchain
- Gitlab (primary): https://gitlab.com/thorchain
- Github (secondary): https://github.com/thorchain
- Medium: https://medium.com/thorchain
Related articles
![]()
May. 14, 2026
Explanation of the 6 Preset Strategies to Help Create Your CCL Strategy
![]()
May. 13, 2026
The Casino Problem: When Crypto Forgets What It Was Built For
![]()
May. 12, 2026
THORChain Protocol Upgrade v3.18
![]()
May. 11, 2026
Dash is coming to THORChain
![]()
May. 8, 2026
Monero Merged, Reserve Burn, Marketing Update | Podcast #196
![]()
May. 7, 2026
Marketing Update: Feb - March 2026
![]()
May. 5, 2026
RUJI Staking Rewards Are Live, Earn Real Protocol Revenue on Rujira
![]()
May. 4, 2026
Bior Labs Cards Are Imminent: Bill Pay, $10K Virtual Cards and a Stablecoin Alpha
![]()
May. 2, 2026
Live from Bitcoin Vegas: 2 bps Stable Swaps, v3.18 Next Week and the Affiliate Revshare Plan
![]()
Apr. 30, 2026
THORChain Quarterly report - Q1 2026
![]()
Apr. 29, 2026
bRUNE Staking Cap Increased to 2 Million, How to Stake, and Earn THORChain Yield
![]()
Apr. 28, 2026
Protocol Upgrade - v3.17.0
![]()
Apr. 27, 2026
Unstoppable: The Best Privacy Wallet – THORChain Mobile Interface
![]()
Apr. 24, 2026
THORChain Stands for a Permissionless and Decentralized Ethos
![]()
Apr. 23, 2026
Custom Concentrated Liquidity: Where Liquidity Becomes Strategy
