DeFi News

THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node

The decentralized liquidity protocol said it froze cross-chain activity within minutes after detecting abnormal vault balances linked to the $10.7M exploit.

Written By:
Kenrodgers Fabian

Reviewed By:
Divya Mistry
THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node
The $10.7 million exploit affected roughly 20% of protocol-owned funds in active vaults.
Users’ funds and LP positions remained untouched due to swift emergency shutdowns.
The breach highlights vulnerabilities in decentralized protocols’ security systems.

THORChain disclosed new details about the May 15 exploit that drained roughly $10.7 million from one of its network vaults. In a post-incident report, the decentralized liquidity protocol said a newly added node operator exploited a weakness in its GG20 signing system only two days after joining the network. The attack triggered emergency shutdowns across trading, signing, and validator operations as developers rushed to contain further losses.

In the report, THORChain said its automatic solvency system detected abnormal vault balances within minutes and immediately froze activity across several connected blockchains. Node operators later expanded the response through emergency governance votes to fully halt network operations. The breach affected only 1 of THORChain’s 6 Asgard vaults — meaning the attacker drained roughly 20% of protocol-owned funds in active vaults. User funds, LP positions, and the remaining five vaults were untouched.

GG20 flaw allowed vault key reconstruction

THORChain traced the exploit to a validator node that joined the network on May 13. The malicious node was identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q. According to the report, the attacker spent two days participating in routine GG20 signing operations before reconstructing a vault’s private key. The attacker then bypassed the normal approval process and moved funds directly from the compromised vault through unauthorized outbound transactions.

The protocol explained that its GG20 system splits cryptographic key fragments across several validators instead of relying on one private key. Validators normally work together through multiple communication rounds to approve transactions securely. However, investigators believe the attacker exploited gradual information leakage inside the GG20 implementation to rebuild the vault key over time.

The GG20 family — a fork of Binance’s tss-lib — has been on security researchers’ watchlist for years. Critical vulnerabilities in earlier GG18/GG20-family protocols have been documented, and Ledger CTO Charles Guillemet noted that in some previously documented attack scenarios, a single compromised co-signer could reconstruct enough information to recover the full signing key. The class of attacks first put on the industry’s radar by the “TSSHOCK” CVEs appears to be the closest analog to the May 15 incident.

THORChain also revealed that it had already planned to move toward the newer DKLS cryptographic system before the exploit occurred. The network said it had worked with Silence Labs since November 2025 to develop a customized version designed with additional security protections.

Where the stolen funds went

Per onchain analysis, the attacker drained assets across Bitcoin, Ethereum, BNB Chain, and Base. Wallets linked to the attacker held approximately 3,443 ETH, 36.85 BTC, and 96.6 BNB shortly after the attack, before consolidating the proceeds into a two-address cluster. TRM Labs noted the drain spread across at least nine chains in total, with the four named chains being the primary destinations for the stolen funds.

Emergency systems limited broader damage

THORChain said its automated solvency system detected abnormal vault balances after losses exceeded the network’s 1% threshold. Within 52 minutes, the protocol automatically halted trading and signing activity across Ethereum, Avalanche, Binance Smart Chain, Base, Dogecoin, and Gaia integrations to prevent further losses.

Meanwhile, node operators coordinated additional emergency measures through Discord and the network’s Mimir governance system. Roughly 18 to 20 validators stacked manual pauses to keep the network frozen while the investigation continued. Operators also activated HALTTRADING, HALTSIGNING, HALTCHAINGLOBAL, and HALTCHURNING controls within about one hour after community members flagged suspicious transactions.

The protocol later linked the malicious validator node to Ethereum addresses that received the stolen assets through on-chain forensic analysis. THORChain also confirmed that it continues working with Outrider Analytics and law enforcement agencies during the ongoing investigation.

THORChain has since released patch v3.18.1 to secure the remaining vaults while developers continue reviewing the exploit path. Recovery efforts will now move through community governance under ADR-028, where node operators will decide how the protocol restores the lost funds.

Also Read: Monero DEX RetoSwap Suspends Trading After $2.7M Exploit in Haveno Protocol

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Fabian is Crypto Journalist at The Crypto Times
By Kenrodgers Fabian
Follow:
Kenrodgers Fabian is a Content Writer with over 3 years of experience in crypto news, data analysis, and IT. With a degree in Health Records and Information Technology, he brings a structured and analytical approach to digital reporting. Kenrodgers focuses on delivering accurate, informative content that helps readers stay updated on the latest trends in crypto and emerging technologies.
Divya Mistry - Content Editor at The Crypto Times
By Divya Mistry
Follow:
Divya Mistry is a Content Editor with over 9 years of experience in news, PR, marketing, and research. Armed with a Master’s Degree in English Literature from the University of Mumbai, she specializes in crafting and refining long-form content across digital and print platforms. Over the years, Divya has contributed to and shaped content for leading brands across a range of industries, including real estate, healthcare, vertical transport, entertainment, lifestyle, education, EdTech, tech, and finance. Her research work has been featured on platforms like DNA India, Forbes, and Elevator World India. She now brings her editorial and research skills to explore the rapidly evolving world of cryptocurrency.

Latest News

Bithumb Freezes Heleket Transfers Over Money Laundering, Terror Links
Bithumb Freezes Heleket Transfers Over Money Laundering, Terror Links
Today in Crypto: HYPE Outshines, DASH Jumps 16%, Bitcoin ETFs See Fresh Outflows as BTC Holds Near $77K
Today in Crypto: HYPE Outshines, DASH Jumps 16%, Bitcoin ETFs See Fresh Outflows as BTC Holds Near $77K
Unsealed Court Filings Reveal Jane Street Traders Joked About Edge Before $192M UST Dump
Unsealed Court Filings Reveal Jane Street Traders Joked About Edge Before $192M UST Dump
Bipartisan PARITY Act Seeks Major Overhaul of US Crypto Tax Rules
Bipartisan PARITY Act Seeks Major Overhaul of US Crypto Tax Rules
Monero DEX RetoSwap Suspends Trading After $2.7M Exploit in Haveno Protocol
Monero DEX RetoSwap Suspends Trading After $2.7M Exploit in Haveno Protocol

Find Us on Socials

You may also like