Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node

The decentralized liquidity protocol said it froze cross-chain activity within minutes after detecting abnormal vault balances linked to the $10.7M exploit.

Written By Kenrodgers Fabian
Fact Checked by Divya Mistry
Published 2026-05-21
Make The Crypto Times preferred on GoogleGoogle
Share
THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node
Show AI Summary
The $10.7 million exploit affected roughly 20% of protocol-owned funds in active vaults.
Users’ funds and LP positions remained untouched due to swift emergency shutdowns.
The breach highlights vulnerabilities in decentralized protocols’ security systems.

THORChain disclosed new details about the May 15 exploit that drained roughly $10.7 million from one of its network vaults. In a post-incident report, the decentralized liquidity protocol said a newly added node operator exploited a weakness in its GG20 signing system only two days after joining the network. The attack triggered emergency shutdowns across trading, signing, and validator operations as developers rushed to contain further losses.

In the report, THORChain said its automatic solvency system detected abnormal vault balances within minutes and immediately froze activity across several connected blockchains. Node operators later expanded the response through emergency governance votes to fully halt network operations. The breach affected only 1 of THORChain’s 6 Asgard vaults — meaning the attacker drained roughly 20% of protocol-owned funds in active vaults. User funds, LP positions, and the remaining five vaults were untouched.

THORChain Exploit Report #1 is now live.

Full timeline of the May 15 incident, how the security layers responded, and what comes next via ADR-028.https://t.co/8QXfeKxwva

— THORChain (@THORChain) May 21, 2026

GG20 flaw allowed vault key reconstruction

THORChain traced the exploit to a validator node that joined the network on May 13. The malicious node was identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q. According to the report, the attacker spent two days participating in routine GG20 signing operations before reconstructing a vault’s private key. The attacker then bypassed the normal approval process and moved funds directly from the compromised vault through unauthorized outbound transactions.

The protocol explained that its GG20 system splits cryptographic key fragments across several validators instead of relying on one private key. Validators normally work together through multiple communication rounds to approve transactions securely. However, investigators believe the attacker exploited gradual information leakage inside the GG20 implementation to rebuild the vault key over time.

The GG20 family — a fork of Binance’s tss-lib — has been on security researchers’ watchlist for years. Critical vulnerabilities in earlier GG18/GG20-family protocols have been documented, and Ledger CTO Charles Guillemet noted that in some previously documented attack scenarios, a single compromised co-signer could reconstruct enough information to recover the full signing key. The class of attacks first put on the industry’s radar by the “TSSHOCK” CVEs appears to be the closest analog to the May 15 incident.

THORChain also revealed that it had already planned to move toward the newer DKLS cryptographic system before the exploit occurred. The network said it had worked with Silence Labs since November 2025 to develop a customized version designed with additional security protections.

Where the stolen funds went

Per onchain analysis, the attacker drained assets across Bitcoin, Ethereum, BNB Chain, and Base. Wallets linked to the attacker held approximately 3,443 ETH, 36.85 BTC, and 96.6 BNB shortly after the attack, before consolidating the proceeds into a two-address cluster. TRM Labs noted the drain spread across at least nine chains in total, with the four named chains being the primary destinations for the stolen funds.

Emergency systems limited broader damage

THORChain said its automated solvency system detected abnormal vault balances after losses exceeded the network’s 1% threshold. Within 52 minutes, the protocol automatically halted trading and signing activity across Ethereum, Avalanche, Binance Smart Chain, Base, Dogecoin, and Gaia integrations to prevent further losses.

Meanwhile, node operators coordinated additional emergency measures through Discord and the network’s Mimir governance system. Roughly 18 to 20 validators stacked manual pauses to keep the network frozen while the investigation continued. Operators also activated HALTTRADING, HALTSIGNING, HALTCHAINGLOBAL, and HALTCHURNING controls within about one hour after community members flagged suspicious transactions.

The protocol later linked the malicious validator node to Ethereum addresses that received the stolen assets through on-chain forensic analysis. THORChain also confirmed that it continues working with Outrider Analytics and law enforcement agencies during the ongoing investigation.

THORChain has since released patch v3.18.1 to secure the remaining vaults while developers continue reviewing the exploit path. Recovery efforts will now move through community governance under ADR-028, where node operators will decide how the protocol restores the lost funds.

Also Read: Monero DEX RetoSwap Suspends Trading After $2.7M Exploit in Haveno Protocol

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Crypto Hack
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Crypto Market Braces for US CPI and PPI Data as Fed Outlook Looms
Crypto Market Braces for US CPI and PPI Data as Fed Outlook Looms
Senator Hagerty Says CLARITY Act Has Momentum to Pass Soon
Senator Hagerty Says CLARITY Act Has Momentum to Pass Soon
Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App
Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App
JIP-38 Approved: Jito to Use JTX Revenue for JTO Buybacks
JIP-38 Approved: Jito to Use JTX Revenue for JTO Buybacks
After Securing MiCA License, OKX Says Banking License Is Not a Priority
After Securing MiCA License, OKX Says Banking License Is Not a Priority

Find Us on Socials

You may also like

BonkDAO Updates Community After $20M Treasury Governance Incident

BonkDAO Updates Community After $20M Treasury Governance Incident

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

Crypto Loses $35M in a Week BonkDAO, Bonzo Lend, Summer.fi Hacked

Crypto Loses $35M in a Week: BonkDAO, Bonzo Lend, Summer.fi Hacked

Hedera's Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

Hedera’s Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information