THORChain paused all vault rotation operations after developers discovered a consensus issue that surfaces specifically during the churning process. The network's development team restructured its roadmap around a single release - the v3.20 update - which consolidates security patches, Monero integration, and router V6 deployment into one coordinated upgrade targeting deployment the following week. The pause stems from a vulnerability requiring changes deep in Thornode that cannot be carried by a point release. The consolidation addresses a critical security gap while limiting the number of high-stakes upgrade sequences the network must execute, particularly important given stretched reviewer bandwidth across the development team.
Vault rotation represents one of THORChain's fundamental security mechanisms, and the operation is currently not running. A consensus issue surfaces specifically during the churning process, and the fix requires changes deep enough in Thornode that a point release cannot carry them. That ruled out the originally planned v3.19.4 patch the same day the team discussed it.
The team met to cut v3.20 instead, targeting an upgrade height for the following week. Once the release lands, the plan is to re-enable Solana first, then restore churning. Everything originally scoped for v3.19.4 - including the Monero work - now rolls into that single larger release alongside the new router V6 code, which is already ready and being deployed progressively. For users, the experience after the upgrade remains the same: swaps route through THORChain Swap as normal.
The consolidation is not purely reactive. Rolling multiple improvements into one coordinated release limits the number of times the network must go through a high-stakes upgrade sequence, which matters when reviewer bandwidth is already stretched.
The recent exploit did not come from a single catastrophic flaw. According to Aaluxx, co-founder of Maya Protocol and now a senior developer on THORChain, the vulnerability was a combination of three older bugs that had coexisted harmlessly in the codebase until someone - or something - discovered they could be triggered in sequence.
"It was three bugs that, chained together, were exploitable. Any one of them individually was harmless," Aaluxx stated.
He described the morning the exploit broke as ice-cold. The team had recently merged TSS patches from a private repository, and his immediate fear was that an error in that merge had introduced the vulnerability. A fast check cleared it: the commit was intact, and the root cause traced back to much older code. The team had actually caught a similar chained bug - a potential double-spend - only a couple of months earlier, which means the underlying pattern was already on the radar.
Detection was technically elegant. By factoring one of the TSS setup's cryptographic parameters and scanning for small prime numbers that should not be present, developers could identify whether any given vault had been poisoned. On THORChain, one of five vaults was found to be compromised, which explains why roughly 20% of TVL was drained rather than the full amount. The method gave the team a reliable diagnostic in a situation where speed of triage was critical.
Aaluxx was direct about the broader lesson from AI's role going forward: a small team can now explore a codebase from far more angles simultaneously, which is a defensive advantage - but the same capability is available to anyone trying to find vulnerabilities from the outside. He expects a few more difficult months as the industry adapts to that new reality.
For the roughly month that THORChain was paused, Maya Protocol kept swapping. The same latent bug existed in Maya's codebase, but it was never triggered. More importantly, Maya was running a single vault that the team could independently verify as healthy - so they kept it operational while pausing churning as a precaution, since a churn could have opened the same exploit path.
The practical consequence was real: native BTC-to-ETH swaps remained unavailable on THORChain during that period, but remained available on Maya. That is the redundancy argument made concrete.
"We need to fly the jet with two engines," Aaluxx stated.
After the exploit and during the earlier TCY period, some voices argued for merging THORChain and Maya - using RUNE to buy out CACAO and consolidating into a single larger DEX. Aaluxx acknowledged it would have been a reasonable business decision and rejected it anyway. Two independent, permissionless DEXes sharing the same ideals are a deliberate design choice, not an inefficiency to optimize away. The cost of redundancy is real, but so is the cost of a single point of failure.
The constraint slowing THORChain's release velocity is not a shortage of code. It is a shortage of people qualified to review and deploy it.
"Our limiting factor is not code creation, it's reviewing and deploying," Aaluxx stated.
Currently, only around three people have the depth of expertise required to review and deploy changes for THORChain. Adding more developers or more pull requests does not automatically accelerate delivery - it adds review load to an already narrow bottleneck. The team operates on a deliberate two-to-one ratio: every piece of code written requires at least two reviews before it moves forward.
On the governance side, a structural issue has emerged. With proposals now coming from many contributors rather than a single coordinating body like Nine Realms, ADR numbers have collided and rough ideas have been filed as formal ADRs before they were ready to build.
The proposed fix is to separate the idea stage from the ADR stage entirely. An ADR, as Aaluxx framed it, should already be a finished recipe: concise, technical, and buildable with available resources. What is missing is an upstream space - a kind of battleground - where raw ideas get challenged, refined, or discarded before they qualify for ADR status.
"Some people think 'I want pasta' is an ADR. That's not an ADR, that's a problem. Come to us with a recipe," Aaluxx stated.
Further down the line, ADR numbers could be requested and assigned on-chain through node relay, with the first approving node assigning the next sequential number. That would make ownership of a proposal unambiguous without creating a centralized gatekeeper. An ADR, it bears repeating, is not a prerequisite for shipping code - anyone can open issues and pull requests on GitLab today. An ADR is a temperature check that tells node operators whether they want paid developer time spent on something.
Despite the pause, integrations across the ecosystem kept moving. ShapeShift has now joined Symbiosis as a live participant in the dynamic fee model, and the data coming back from both is proving useful. Three or four more affiliates are expected to come online within a week, pending Chad Barraford's availability to finish the integrations.
A community tip reopened two larger integration conversations. A cold DM to Randy Bechtold surfaced Robinhood Chain as a potential target - and a quick look revealed it is built on Arbitrum, a network THORChain had already been pursuing. That created a two-for-one opportunity: Bechtold has a call scheduled with the Arbitrum team, and plans to ask for a warm introduction to Robinhood while there.
Aaluxx offered a technical note of caution on Arbitrum: it runs at roughly four blocks per second, which floods nodes with message volume in a way similar to Solana. Maya spent about a year stabilizing its own Arbitrum support. The upside is that the hard work is largely done on Maya's side, giving THORChain a shorter path.
The XMR integration is the closest major feature to shipping. Aaluxx is in discussions with Least Authority for a security audit - a firm he rates among the top for privacy chain work. There is direct precedent: Zcash funded a Least Authority audit of its ZEC-into-Maya integration, which recently completed with only minor denial-of-service and quality-of-life findings, no major bugs. The Monero work has already cleared chain-net testing and a developer review.
True to the protocol's usual approach, the XMR pool will launch first with shallow, protocol-owned liquidity and small test swaps, keeping user funds out of the picture while the chain client proves itself in production.
"Break things, but break them small," Aaluxx stated.
ZEC on the THORChain side has no timeline. The bottleneck is bandwidth: refunds, security work, the network restart, and the Monero launch are all competing for the same narrow review-and-deploy window, and churns come first.
The payments angle of the ecosystem got its own update. Moca, a crypto point-of-sale and payments network, settles transactions through Maya Protocol, THORChain, and a handful of other backends. The goal is to let ordinary merchants accept crypto and settle in crypto without friction - real-world volume flowing back through the protocols as a result.
The beta is deliberately quiet, targeting launch the Monday after next, with no marketing push at first. The plan is to open business accounts, gather feedback, run real test payments, and close bugs before a wider rollout.
"The payment side of Maya is upon us," stated EricOnchain, Moca.
Builders interested in early API access can reach EricOnchain or the Moca account directly.
Why is THORChain's vault rotation currently paused?
A consensus issue specifically tied to the churning process requires fixes at the Thornode level. Those changes are too deep to ship in a point release, so vault rotation stays paused until the full v3.20 update is deployed.
What caused the recent THORChain exploit?
Three older bugs that were each harmless in isolation became exploitable when triggered in sequence. The combination allowed one of THORChain's five vaults to be compromised, resulting in approximately 20% of TVL being drained.
How did Maya Protocol maintain swaps during THORChain's downtime?
Maya was running a single vault that the team could independently verify as uncompromised. By keeping that vault operational - while pausing churning as a precaution - Maya continued processing swaps throughout the entire month-long THORChain pause.
Related News