THORChain has resumed all network activity more than a month after a $10M exploit forced the cross-chain protocol to halt trading, according to a June 23 report from Cointelegraph. The restart came after the team deployed several security upgrades and completed a full migration of the protocol's vaults. Swaps between native assets are live again on a network that, at the time of the pause, had been one of the busier venues for moving coins across chains without a centralized intermediary.
A month-long pause closes out
The halt was not a precaution against a threat that never materialized. It followed an actual $10M loss, and the protocol stayed dark while the team rebuilt the pieces an attacker had reached. Bringing a live liquidity network back from a full stop is a different exercise from patching a single contract. Vaults hold real user deposits, validators have to agree on the new state, and every integrated front end has to point at the restored system at the same moment. A staged restart with a vault migration at its center reflects that complexity.
Resuming "all network activity," as the report frames it, is the signal users were waiting for. A protocol can technically be online while large parts of its functionality stay frozen behind risk controls. A complete restart of swaps suggests the team is confident enough in the upgraded code and the migrated vaults to let value flow at full volume again.
The vault migration at the center of the restart
Moving funds out of the old vaults and into newly secured ones is the part of this story that matters most for anyone who left assets in the system. Cross-chain protocols like THORChain custody pooled liquidity in vault addresses that the network's validators control collectively. When those vaults are the surface an attacker probes, migrating to fresh ones with hardened controls is the cleanest way to draw a line under the incident. It also means the addresses holding user liquidity changed, which is exactly the kind of detail that needs to be communicated clearly so that nobody interacts with a stale endpoint.
The combination of "multiple security upgrades" and a vault migration points to a fix that touched both the code and the custody layer, rather than a single hotfix. That is the right shape for a recovery after an exploit of this size. It is also slower, which explains the better-part-of-two-months gap between the incident and the reopening.
Cross-chain swaps and the risk users carry
THORChain sits in a category that many holders use precisely because it avoids a custodial middleman: you swap one native asset for another without handing coins to an exchange that could freeze withdrawals. That design is genuinely useful for people who spend from their own wallet and want to rebalance without routing through a centralized desk. The trade-off is that the protocol's own smart contracts and shared vaults become the thing you are trusting instead.
A month of frozen trading is the concrete version of that trade-off. Self-custody removes the risk that a company holding your coins goes insolvent, the failure mode that turned custodial collapses into total losses for users in past cycles. It does not remove the risk that the rails themselves break and lock value in place while a team rebuilds. Both are real. They just sit in different places, and a restart like this is a reminder to weigh the protocol risk on its own terms rather than assuming "non-custodial" means "risk-free."
The timing lands during a broad market pullback. As of June 23, 2026, Bitcoin traded near $62,371, down 2.8% on the day and 6.19% over the week, with Ether around $1,654 (down 5.43%) and the Fear and Greed index sitting at 20, in Fear territory, per CoinMarketCap. Liquidity returning to a cross-chain venue in the middle of a risk-off stretch is less about a fresh wave of trading and more about restoring a piece of plumbing that traders rely on when conditions are this jumpy.
Practical takeaways for users with funds in play
Anyone who had positions or pending swaps caught in the halt should confirm they are interacting with the current vault addresses and updated front ends before moving anything, given that the migration changed where liquidity lives. Treat the first days back online as a settling-in period: restarts after major incidents are when edge-case bugs and integration mismatches tend to surface.
More broadly, the episode is a clean case study in how cross-chain infrastructure recovers. The fix here was not a patch and a press release. It was security upgrades plus a full custody migration plus a deliberate, weeks-long pause. That is the cost of doing a recovery properly, and it is worth remembering the next time a protocol promises a faster turnaround.
Overview
THORChain restarted all trading more than a month after a $10M exploit, reopening only after multiple security upgrades and a complete vault migration. The drawn-out timeline reflects the work of rebuilding both the code and the custody layer rather than shipping a quick fix. For self-custody users, the restart is a reminder that non-custodial cross-chain rails carry their own protocol and bridge risk, distinct from the counterparty risk of holding coins on an exchange. With markets in a Fear regime and Bitcoin near $62,371 as of June 23, 2026, the practical step for affected users is to verify current vault addresses before moving funds.
