$10.8M THORChain Vault Hack Shock: Malicious Node & TSS Breach Exposed!

by

THORChain Incident Update: Malicious Node and GG20 TSS Exploit Suspected

Show AI Summary
A vulnerability in THORChain’s threshold signature scheme likely led to a $10.8 million exploit, highlighting security risks in cross-chain liquidity protocols.
The incident underscores the importance of robust validator node vetting, as a newly added node is suspected to be linked to the exploit, potentially due to inadequate screening.
The partial network pause and ongoing investigation underscore the challenges of maintaining security and trust in decentralized networks, impacting the broader cryptocurrency industry.

As an analyst following the situation, it appears the recent exploit impacting THORChain – where roughly $10.8 million was drained – likely originated from a newly activated validator node. That’s the current understanding based on the evidence we’re seeing from the THORChain team.

Developers reported on Friday that the most likely cause of the recent incident is a weakness in THORChain’s security system – specifically, its GG20 threshold signature scheme. They believe an attacker exploited this weakness to gradually steal key information. This stolen information was then used to recreate a private key for the system’s vault, allowing the attacker to make unauthorized withdrawals.

Here’s an update on the recent THORChain incident. The team believes the attack originated from a newly activated node, and it’s likely controlled by a single attacker. Their main theory is…

— THORChain (@THORChain) May 15, 2026

The network is still operating with limited functionality as developers, security experts, and those who run the network work to get things back to normal and address the recent issues.

Newly added validator under scrutiny

In my investigation, I’ve identified a validator node – thor16ucjv3v695mq283me7esh0wdhajjalengcn84q – as potentially connected to the recent exploit. This node only joined our active validator set a few days prior to the incident, which raised a red flag during my analysis.

Developers have found a link between the Ethereum addresses used to buy and lock up RUNE for the network node and addresses that later received funds from a theft. Current evidence suggests a single attacker, likely a node operator, was responsible, but the investigation is still in progress.

GG20 TSS vulnerability emerges as leading theory

THORChain protects its shared funds using a special security method that doesn’t depend on a single private key, instead requiring multiple approvals.

Developers believe a security flaw in the protocol’s GG20 TSS implementation may have gradually leaked parts of the encryption key. If a significant amount of this data was compromised, someone could have potentially recovered the full key and made unauthorized transactions. The team is still investigating the issue and hasn’t yet published a complete analysis of what happened.

Network paused as recovery plan takes shape

After a security issue was found, the people running the network’s nodes used a ‘pause’ command, temporarily halting activity. THORChain expects the pause to lift automatically in about 12 hours, unless the node operators decide to keep it going. Those involved in the project are ready to allow transfers of RUNE and monitoring of the blockchain to start again when the pause is over.

Important features like trading, providing liquidity, and approving transactions will stay temporarily paused until the network decides on a complete solution to the problem.

Recovery options include bond slashing and POL

Node operators are exploring different solutions to address recent losses. Some of the ideas they’re looking at are:

  • Slashing the bonds of nodes that participated in the affected vault
  • Using protocol-owned liquidity (POL) to absorb part or all of the loss
  • Adopting other recovery proposals submitted by the community

No final decision has been made.

THORChain is investigating the attack, with its treasury team collecting evidence and working alongside security experts from THORSec and Outrider Analytics. They are also collaborating with law enforcement to find the person responsible and attempt to recover any stolen funds.

Incident follows earlier $10.8 million estimate

This new information confirms previous findings from security companies like Cyvers and blockchain analysts, who determined the security breach impacted digital assets on Bitcoin, Ethereum, BNB Chain, and Base.

Early reports indicated losses around $10.8 million. The stolen funds appear to have been gathered in digital wallets containing Ethereum, Bitcoin, and Binance Coin.

Full restart may take days

Experts estimate it will take several days to fully restore THORChain, and the process could take even longer depending on how node operators address the issue.

Right now, we’re working to understand exactly how the security issue happened, limit any further damage, and agree on the best way for the system to handle the resulting financial losses.

Read More

2026-05-15 23:35