THORChain says it understands the attack, ships a fix tomorrow

@THORChain has issued its third public update following a roughly $10 million exploit that struck the protocol on May 15, saying the core team now has a firm grasp of how the attack was executed but is not yet ready to disclose the technical specifics.

Version 3.18.1 is expected to be released for node operators the following day, representing the first concrete remediation step since the network entered its partial pause.

A GG20 Signature Flaw at the Centre

The leading theory, according to the team, is that the attacker exploited a flaw in THORChain's GG20 Threshold Signature Scheme (TSS) implementation. Developers and THORSec believe the attacker exploited a vulnerability in the GG20 implementation that caused partial key material to leak incrementally during normal signing ceremonies, and that by accumulating enough leaked shards the attacker was able to reconstruct the vault's full private key.

Investigators flagged a single recently churned validator as the likely entry point, and in THORChain terms churning is the regular process by which the active validator set rotates. The node in question had joined the active set only days before the exploit.

The team stated that the attack vector does not appear to be tied to any currently known GG20 exploit, and it is still assessing whether other GG20 implementations elsewhere could be at risk. The industry has known for years that newer protocols such as CGGMP21 and cggmp24 offer stronger guarantees against malformed-proof attacks, and the incident will almost certainly accelerate migration discussions across multiple protocols, not just THORChain.

Recovery Question Goes to Governance

THORChain was exploited for roughly $10.8 million, with the attack affecting deployments across four different blockchains. Wallets linked to the attacker hold roughly 3,443 ETH, 36.85 BTC, and 96.6 BNB, while the $RUNE token fell about 12 percent following the news.

How to handle the lost funds remains an open question. The team confirmed the matter will go to a community governance vote rather than a confirmed compensation program. Recovery options under discussion include slashing collateral from affected nodes and covering losses via Protocol-Owned Liquidity, among other community-led measures.

The network will remain partially paused until node operators reach consensus on a recovery approach. The THORChain treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible.

The incident is the latest in a difficult stretch for DeFi security. Cross-chain bridges and liquidity protocols have suffered more than $2.8 billion in cumulative thefts since 2021, according to Chainalysis.

Sources:
CoinDesk: THORChain Halts Trading After $10M Cross-Chain Exploit
The Block: THORChain Pauses Trading as Researchers Flag $10M Exploit
Crypto Times: $10.8M Drained Inside the THORChain Exploit