Key Highlights
- THORChain confirmed that no user funds or LP positions were lost in the May 15 exploit.
- The protocol warned users about fake refunds, airdrops, and compensation scams circulating online.
- Investigators linked the attack to a malicious node exploiting a GG20 TSS vulnerability.
THORChain, a decentralized liquidity protocol, has released its second official incident update following the security exploit that occurred on May 15. The team alerted the community regarding an increase in impersonation accounts and misinformation campaigns spreading false claims regarding refunds, airdrops, and compensation programs.
According to the official update via X, the firm noted that no user funds were lost in the incident. At the same time, the protocol isn’t running any refund, airdrop, or compensation initiatives. The team requested users to rely only on official THORChain communication channels and avoid any unsolicited messages or fake accounts claiming otherwise.
THORChain contributors are actively investigating the exploit with THORSec and external security partners. The protocol assured that more information would be provided as the investigation progresses.
Background of the incident
On May 15, the first update on the incident revealed that a newly churned node, thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, was associated with the attack. According to the investigators, a single malicious actor exploited the vulnerability in the GG20 TSS (Threshold Signature Scheme) implementation.
This permitted the gradual leakage of vault key material, allowing the attacker to eventually reconstruct the vault’s private key and execute unauthorized outbound transactions. Estimates place the losses at roughly $10 million to $10.8 million across multiple blockchains, including Bitcoin, Ethereum, BNB Chain, and Base.
User swaps and liquidity provider (LP) positions weren’t impacted directly. The automatic safeguards of the network initiated a pause on signing activity, hindering any further damage, which resulted in a temporary halt of the network.
Trading, LP actions, and sensitive operations remain paused while recovery discussions continue. Potential remediation options under consideration include slashing the bonds of affected nodes and using Protocol-Owned Liquidity (POL) to absorb losses.
Current status of investigation
THORChain contributors are working along with THORSec and external partners such as Outrider Analytics to conduct a thorough investigation. The team anticipates RUNE transfers and chain observation to resume after the pause ends, subject to node decisions.
However, full trading and sensitive operations will be suspended until a comprehensive recovery plan is approved by the community and node operators; bridging the network back to full functionality may take a few days.
Issues in decentralized cross-chain infrastructure
This incident sheds light on the issues that exist within decentralized cross-chain infrastructure systems, specifically in the use of threshold signature schemes. Despite the protocol’s ability to withstand threats by implementing pausing methods and open communication channels, the next few days are crucial to rebuilding trust.
Users are encouraged to do the following:
- Follow only authorized THORChain sources
- Do not click any unknown links or provide wallet credentials.
- Monitor official updates for the resumption of services.
Also Read: Crypto Market Today: BTC Drops to $78,000; Altcoins ETH, SOL, XRP Follow
