THORChain Restart Drags On as Zcash Vulnerability Delays Integration

THORChain has remained offline for three weeks since it experienced a $10.7 million vault exploit. The protocol initially planned to integrate $ZEC support into its platform, but even that is now delayed after a critical flaw was discovered in Zcash's Orchard shielded pool. The timing could not have come at a worse time for $ZEC, which has taken a beating since the AI-discovered vulnerability was revealed. What happened to THORChain, and when will it actually restart?

THORChain has been offline for three weeks following a major security breach that drained $10.7 million from one of its vaults. The trouble started with a flaw in a security system called the GG20 threshold signature scheme. An attacker managed to join the network as a node operator and exploited the weakness to siphon funds from a single vault. The other four vaults were not affected, small consolation for the one that was. THORChain's developers released a fix (version 3.19) several days ago, but the network is yet to resume normal operations. The team even added a new safety step called "key verify" to confirm every remaining vault is secure before trading reopens. The restart will include node operators moving to the new software version, migrating funds, and finally reopening trading. Barraford estimated that this process will take several days to complete once it begins.

The recovery plan, called ADR028, aims to cover the $10.7 million loss without minting new RUNE tokens or diluting existing holders. Instead, the protocol's own treasury will be used, and any remaining shortfall will be shared with synthetic asset holders. The protocol is also offering the hacker a bounty to return the funds, a polite request for the return of stolen money.

What was the Zcash bug, and why did it cause such a big price drop? Zcash was supposed to be THORChain's next chain integration, ahead of Monero, but that timeline slipped after security researcher Taylor Hornby, working under contract with Shielded Labs, discovered a soundness bug in Zcash's Orchard shielded pool. The bug has been present in the Orchard protocol "rulebook" since it launched in May 2022. Hornby used Anthropic's Opus 4.8 model to build a working example of the exploit in a test environment and confirmed it could produce fake tokens locally. An emergency soft fork temporarily disabled Orchard transactions on June 2, and a hard fork (NU6.2) reactivated the pool with a corrected circuit on June 3. The five-day turnaround from discovery to resolution was only the second security-driven protocol upgrade in Zcash's ten-year history.

When the bug was disclosed, $ZEC dropped roughly 40% within 24 hours. CoinMarketCap data showed the token trading near $333, down from a 52-week high above $700. Arthur Hayes, the chief investment officer at Maelstrom and co-founder of BitMEX, said on X that he liquidated his entire $ZEC position. Hayes previously set a public price target of 10% of Bitcoin's value for $ZEC, but the 30% drop forced him to rethink. He left open the possibility of buying back the tokens if his concerns about supply integrity proved unfounded.

Blockchain intelligence firm Arkham flagged at least one large holder who watched more than half the value of a $174 million $ZEC position evaporate without selling, either a committed long-term believer or someone refreshing the wallet in disbelief.

Shielded Labs, the organization that fixed the bug, explained that it is cryptographically impossible to determine whether or not the bug was ever exploited, given the four-year window before it was found. The firm also noted that it is unlikely the bug could have evaded years of expert review if it had been active. Just discovering the vulnerability required AI-assisted auditing techniques, and the remediation window was narrow once the flaw became known.