7
A security startup said it intends to publicly release exploit code for unpatched THORChain vulnerabilities in the coming days, after the cross-chain protocol patched an earlier critical bug the firm had disclosed without crediting or paying it.
V12, a startup that builds an automated code-auditing tool and has recently published Linux kernel exploits, said in a post on X that it reported a "critical loss of funds" bug to THORChain, that the protocol "silently patched it," and that a THORChain representative told the firm its bug bounty program is permanently retired. V12 said it is holding additional THORChain "chain halt" denial-of-service vulnerabilities that it plans to disclose openly, and it published a repository of proof-of-concept code.
Proposer-forgery Bug
The disclosure lands roughly three weeks after THORChain, a cross-chain liquidity protocol with about $30 million in total value locked, lost an estimated $10.7 million from one of its six Asgard vaults on May 15. Security researchers including Blockaid and onchain investigator ZachXBT attributed that exploit to a proposer-forgery bug in THORChain's Bifrost attestation system — the same class of flaw a THORChain code commit dated May 6 was written to fix.
That patch, titled "sign full ObservedTx wrapper to prevent proposer forgery," was never deployed; researchers said it failed the protocol's automated testing and rollout process before the attack. RUNE fell as much as 15% the day of the exploit and now trades near $0.49, down about 87% over the past year, according to data from DefiLlama and CoinGecko.
THORChain has been hacked repeatedly since 2021 and processed the bulk of the laundering in the $1.4 billion Bybit hack.
What V12 Says It Found
V12 said it approached THORChain on April 28 to "responsibly disclose" what it called a likely critical vulnerability, sharing a patch file, a proof-of-concept script and a report, according to message screenshots the firm published.
In those messages, V12 described a flaw in which a single malicious validator acting as the CometBFT block proposer can "bypass all confirmation requirements" by forging unsigned finality data on honestly attested transactions, causing THORChain to release outbound funds before a source deposit is confirmed. The firm said the issue affected every external chain integrated with THORChain and was exploitable by any active validator during its normal proposer rotation.
When V12 followed up about a payout, a THORChain contact replied that they were "not aware of any bug bounty running at the moment by THORChain" and said the team had stopped the program "long ago," per the screenshots. V12 then asked whether there was no payout even for critical bugs.
The contact's identity was redacted in the images. V12's account rests on messages it published itself, presenting one side of the exchange; THORChain has not confirmed their authenticity or the existence of the disclosed bug.
A Patch That Never Shipped
THORChain's developers authored a fix for a proposer-forgery bug on May 6, nine days before the May 15 exploit, according to the THORNode commit history. Blockaid's analysis of the attack found that validator signatures did not cover a transaction's inbound-or-outbound field, letting a proposer flip a real inbound observation into an outbound payout to attacker-controlled addresses. Researchers said the May 6 patch addressed that exact behavior but failed the protocol's continuous-integration process and was not rolled out to validators in time.
The bug V12 says it disclosed on April 28 is described in nearly identical terms to both the patch and the flaw researchers blamed for the exploit.
THORChain has not published a full post-mortem or confirmed that the disclosed bug and the exploited bug are the same, and V12 did not explicitly claim in its post that the May 15 attacker used its findings. Blockaid and ZachXBT have said they believe the May 15 attacker is the same actor behind the March 2025 1inch Fusion V1 attack.
THORChain's automated defenses did contain the May 15 incident: node operators triggered a network-wide halt, freezing trading, signing and validator churn for about 13 hours, and the team said no individual user swaps were affected. The protocol disclosed the loss via Discord and X, as covered in The Defiant's reporting on the Asgard vault compromise.
The link between V12's report and the May 15 exploit, while consistent across the firm's description, the patch commit and third-party forensic analysis, has not been confirmed by THORChain or stated outright by V12.
A Bounty Program in Retreat
THORChain launched a $500,000 bug bounty on Immunefi in 2021 after a string of exploits. It later left that platform amid controversy, moving to a self-hosted program that researchers say was retired in March 2026, two months before the May exploit. In November 2024, researcher Luke Parker publicly accused the protocol of pulling its Immunefi program after the platform ruled he was owed roughly $270,000 for a critical submission.
THORChain's own documentation still references a bounty for verified critical bugs in its emergency-procedures and security pages, language that now sits at odds with the firm's account and the protocol's apparent shift away from paid disclosure.
Open disclosure of working exploit code against a live protocol that still holds user liquidity also draws criticism in security circles, regardless of a bounty dispute, because it can arm attackers before fixes ship. V12 acknowledged in its post that it expects more critical issues remain in the codebase, saying the code quality is "honestly not great" in its view.
What's Next
V12 said it would release the additional THORChain denial-of-service vulnerabilities in the coming days. THORChain has not issued a post-mortem on the May 15 exploit or responded publicly to V12's claims. The Defiant has requested comment from THORChain and V12.
bitcoinworld.co.in
cointelegraph.com
coinedition.com
