Cryip preferred on 
V12 Security has ignited a sharp controversy in the DeFi space by accusing THORChain of silently fixing a major loss of funds vulnerability that the firm had responsibly disclosed in late April, while offering neither credit nor any bounty reward.
The accusation, detailed in posts on X and supported by shared chat screenshots and a public proof of concept repository, highlights ongoing challenges around bug bounty programs in decentralized protocols, especially amid rising AI generated spam submissions.
We reported a critical loss of funds bug to @Thorchain (32M TVL, 150M FDV)
They silently patched it and told us their bug bounty program is permanently retired.
We have more Thorchain chain halt DoS vulns. We intend to release them (open disclosure) in the coming few days pic.twitter.com/R2jyej5Pnh
— V12 (@v12sec) June 1, 2026
The Disclosed Vulnerability
On April 28, V12 says it reached out to the THORChain team with details of a critical flaw in the protocol’s attestation and finality mechanism. According to the researcher, a single malicious validator acting as a CometBFT block proposer could forge unsigned finality data, bypassing confirmation requirements and triggering premature outbound fund releases before source chain deposits were fully verified.
This issue reportedly impacted every external chain connected to THORChain and could be exploited during routine validator proposer rotations. V12 provided a detailed report, patch suggestion, and working proof of concept.
Link to May Exploit and Patch Timeline
The disclosure came just weeks before THORChain suffered a real world 10.7 million dollar exploit on May 15, when attackers drained funds from one of its Asgard vaults across multiple chains including Bitcoin, Ethereum, BSC, and Base.
THORChain developers merged a related patch titled “sign full ObservedTx wrapper to prevent proposer forgery” on May 6. However, the fix reportedly failed automated testing and was not deployed in time, contributing to the successful attack. The protocol maintains that the bug reported by V12 is unrelated to the May 15 incident.
Bug Bounty Dispute Intensifies
When V12 followed up regarding compensation, a THORChain representative allegedly informed them that the protocol’s bug bounty program had been permanently retired. THORChain has confirmed the program was closed prior to V12’s submission due to an overwhelming number of low quality, AI generated reports. The decision was publicly documented in the project’s GitLab repository.
This marks another chapter in THORChain’s bumpy history with security disclosures. The protocol previously ran a 500,000 dollar bug bounty on Immunefi after earlier exploits but moved away from the platform amid past controversies.
Broader Context and THORChain’s Security Track Record
THORChain, which facilitates native cross chain swaps and currently holds around 30 million dollars in TVL, has faced repeated security incidents since its early days. The May 15 exploit led to a network wide halt lasting approximately 13 hours, with no direct impact on individual user swaps. The team has since released patches and opened community governance discussions (ADR 028) on fund recovery through Protocol Owned Liquidity without minting new RUNE tokens.
RUNE token reacted sharply to the May exploit, dropping as much as 15 percent in a single day and trading near 0.49 dollars recently, reflecting lingering investor concerns.
Upcoming Disclosures and Community Reaction
V12 has already published one proof of concept repository and warns it holds additional chain halt denial of service vulnerabilities affecting THORChain, which it plans to open source in the coming days. The firm criticized the overall code quality of the protocol.
The incident has divided the crypto security community. While some defend THORChain’s decision to curb low effort submissions, others including on chain investigators have pointed to persistent weaknesses in the protocol’s validator and signature systems.
What’s Next?
As THORChain works on recovery proposals and further hardening its infrastructure, this episode underscores the delicate balance between encouraging responsible disclosure and managing operational realities in public bug bounty programs. The DeFi space continues to grapple with sophisticated attacks and the sustainability of security incentives.
THORChain has not issued a full public response to V12’s latest claims beyond confirming the bounty program status.
