V12 Says THORChain Silently Patched Its Critical Bug, Then Told Researchers the Bounty Is 'Permanently Retired'

Cross‑chain liquidity hubs like THORChain promise seamless asset swaps, but their complexity makes them prime targets for sophisticated attacks. The May 15 exploit, which siphoned $10.7 million, underscores how a single proposer‑forgery flaw can bypass transaction finality checks and release funds before deposits are confirmed. While THORChain’s total value locked sits near $30 million, the loss represented a sizable portion of its capital, shaking confidence among liquidity providers and prompting a sharp, 15% dip in the RUNE token price.

The dispute between V12 and THORChain brings the broader issue of bug‑bounty sustainability into focus. After retiring its program in early 2026—citing an influx of AI‑generated submissions—THORChain left researchers without a clear financial incentive to disclose vulnerabilities responsibly. V12’s claim that its April 28 report was silently patched yet never rolled out illustrates how gaps in coordination can leave critical bugs unaddressed. In the fast‑moving DeFi space, delayed patches and ambiguous reward structures can turn a preventable flaw into a costly breach.

Looking ahead, the public release of exploit code by V12 could accelerate both defensive hardening and malicious targeting. Investors and custodians will likely demand greater transparency, formalized bounty frameworks, and rigorous continuous‑integration pipelines to ensure patches reach validators before attackers can act. Regulators may also scrutinize protocols that operate without clear disclosure policies, potentially shaping future compliance standards for decentralized finance platforms.