THORChain contributors say current evidence points to a newly churned validator node as the likely source of the exploit that drained roughly $10.8 million from the cross-chain liquidity protocol.
In an incident update shared via X on Friday, developers said the leading theory is that the attacker exploited a vulnerability in THORChain’s GG20 threshold signature scheme (TSS), allowing sensitive key material to leak over time. Investigators believe the attacker used that information to reconstruct a vault private key and authorize unauthorized outbound transactions.
The network remains partially paused while developers, security contributors, and node operators determine how to restore normal operations and absorb the losses.
Newly added validator under scrutiny
According to the update, a node identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, which joined the active validator set several days before the incident, is believed to be linked to the exploit.
Developers said Ethereum addresses used to acquire and bond RUNE for the node appear connected to addresses that later received stolen funds. Based on the evidence reviewed so far, contributors believe the attack was likely carried out by a single malicious node operator, though the investigation remains ongoing.
GG20 TSS vulnerability emerges as leading theory
THORChain uses a threshold signature scheme to secure shared vaults without relying on a single private key.
Developers now suspect the protocol’s GG20 TSS implementation may have leaked fragments of key material over time. If enough data was exposed, an attacker could have reconstructed the vault key and signed transactions without authorization. The team has not yet released a formal post-mortem, and the root cause remains under investigation.
Network paused as recovery plan takes shape
Multiple node operators executed the make pause command after the exploit was detected, placing the network into a temporary pause state. THORChain said the pause is expected to expire automatically after about 12 hours unless node operators extend it. Contributors indicated they are comfortable allowing RUNE transfers and chain observation to resume when the pause ends.
More sensitive functions, including trading, liquidity provider actions, and transaction signing, will remain suspended until the network agrees on a broader remediation plan.
Recovery options include bond slashing and POL
Node operators are discussing several ways to cover the losses. Options under consideration include:
- Slashing the bonds of nodes that participated in the affected vault
- Using protocol-owned liquidity (POL) to absorb part or all of the loss
- Adopting other recovery proposals submitted by the community
No final decision has been made.
THORChain said its treasury team is gathering forensic evidence and coordinating with security specialists at THORSec and Outrider Analytics, as well as law enforcement agencies. The goal is to identify the attacker and recover funds where possible.
Incident follows earlier $10.8 million estimate
The latest update builds on earlier reports from security firms, including Cyvers and on-chain investigators, which estimated the exploit affected assets across Bitcoin, Ethereum, BNB Chain, and Base.
Initial estimates placed the loss at about $10.8 million, with stolen assets reportedly consolidated into wallets holding ETH, BTC, and BNB.
Full restart may take days
Contributors cautioned that restoring THORChain’s full functionality will likely take several days and could take longer depending on which remediation path node operators choose.
For now, the focus remains on confirming the exploit mechanism, containing further risk, and reaching consensus on how the decentralized protocol should allocate losses.
Also Read: Buybacks, Burns, and Bonds: CoW DAO Proposes New Plan for COW
