Incident case

THORChain 2021 ETH Router exploit 2

A second July 2021 attack used a fake router and malicious refund memo to make Bifrost accept a fabricated deposit event, draining economically significant ERC-20 assets from THORChain's Ethereum-side liquidity.

reviewedcurrent

Incident facts

Incident title: THORChain 2021 ETH Router exploit 2
Bridge: THORChain
Incident date: 2021-07-22
Incident type: Exploit
Major incident: Yes
Affected chains: THORChain, Ethereum
Affected assets: USDC, USDT, Unknown
Attack category: Message Verification Failure
Reported loss: Approximately $8 million
Recovery: Unknown
Reimbursement: Completed
Restart: Reopened
Current outcome: Active After Incident
Resolution: Final outcome known
Last reviewed: 2026-06-14
Last verified: 2026-06-14

Timeline events

Second THORChain ETH Router exploit disclosed2021-07-22
A second July 2021 ETH Router incident removed an ERC-20 asset basket from protocol liquidity.
Exploit DisclosedHigh
THORChain returned to staged trading after remediation2021-10
After audits, router changes, node upgrades, and treasury-led loss coverage, THORChain resumed functions and trading in stages.
Network ReopenedMedium

Evidence records

Post-Mortem: ETH Router Exploits 1 & 2, and Premature Return to Trading Incident
THORChain · Tier 1 · 2021-07-30
THORChain Incident Analysis - July 23, 2021
Halborn · Tier 1 · 2021-07-23
THORChain - REKT 2
Rekt · Tier 3 · 2021-07-26

Known unknowns

The exact asset-level USD valuation varies by source timing.