After a Third Major Breach: THORChain Loses $10.7 Million Due to an Unapplied Patch

深潮TechFlow

特邀专栏作者

2026-05-25 04:48

This article is about 10371 words, reading the full article takes about 15 minutes

When maintenance delays become the norm, who bears the responsibility?

AI Summary

Expand

Key Insight: On May 15, 2026, THORChain suffered a loss of over $10.7 million after a malicious node exploited a known vulnerability in the Asgard vault due to an unapplied patch. The incident exposed the protocol's long-term neglect of security updates, misaligned audit scope, and contradictory stance against North Korean hacker groups.
Key Elements:
1. The attacker used a newly added malicious node to exploit a vulnerability in the legacy GG20 TSS cryptographic library running on THORChain, accumulating key material to reconstruct the full private key and execute unauthorized outgoing transactions.
2. A patch for this vulnerability was submitted to GitLab nine days before the attack (May 6), but was not deployed to the production environment, enabling the attack to succeed.
3. The losses spanned at least nine chains, including Bitcoin, Ethereum, BSC, etc., totaling approximately $10.7 million. The RUNE token price dropped 15% shortly after the announcement, with a market cap loss of about $27 million.
4. The protocol has not conducted a formal audit of its core TSS cryptographic library since 2021. While eight audits were performed in 2025, they were all focused on the application layer (Rujira), neglecting the security state of the core infrastructure.
5. THORChain had previously processed over $1.2 billion in funds for the North Korean hacker group Lazarus and refused to suspend related transactions. However, after this attack, it proactively paused the network for 12 hours and 42 minutes.

Original Author: Rekt

Original Translation: TechFlow

Preface: Hacked three times in five years, a $200 million insolvency crisis, laundering $1.2 billion for North Korea, and even founder jpthor's personal wallet was drained of $1.2 million via a fake meeting scam by North Korean hackers. This time, it wasn't bad luck, but a patch for a known vulnerability sitting in the codebase for nine days without deployment. When maintenance delays become the norm, where does the responsibility lie?

Hacked three times in five years. Plus a $200 million insolvency crisis. On top of that, $1.2 billion laundered for North Korea.

THORChain's relationship with North Korea runs deeper than most protocols are willing to admit.

North Korea even returned the favor, draining $1.2 million from co-founder jpthor's personal wallet in September 2025 through a fake meeting scam.

This doesn't look like a recipe for success, but rather a harbinger of disaster.

Then, on the morning of May 15, another $10.7 million was stolen.

At a certain point, the question is no longer "how did this happen?" but "why does anyone expect it to be different?"

On May 15, 2026, THORChain's Asgard vault was rapidly drained across multiple chains.

THORChain's automated solvency checker triggered a pause – the only security upgrade born from the July 2021 disaster – and froze the network for 12 hours and 42 minutes.

The vault design was sound. The funds were still gone.

RUNE dropped 15% before most of the world had finished reading ZachXBT's Telegram post.

Market cap evaporated by $27 million in minutes.

This is a protocol that stared into the abyss and continued building. But there is a limit to calling the same wound a "learning experience" over and over again.

When the vulnerability type is documented, the patch exists, and funds are still lost, when does delayed maintenance cross the line from negligence to recklessness?

ZachXBT saw it first.

Earlier on May 15, his Telegram channel posted a community alert: THORChain was likely exploited on Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10.7 million.

TRM Labs later expanded the confirmed scope to at least nine chains – adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the initial four – and revised the total losses upward to over $11 million.

Arkham flagged the attacker's wallet.

But the drain was already complete.

PeckShield publicly confirmed: approximately $10 million drained, including 36.75 BTC and around $7 million in assets, spread across BNB Chain, Ethereum, and Base.

THORChain's own infrastructure moved before the team did.

THORChain's Mimir governance module flipped transaction pause and signature pause parameters to active, with node suspension running from block 26190429 for approximately 12 hours and 42 minutes.

No human decision was needed.

More than 5 hours after ZachXBT's announcement, THORChain released an official statement confirming what on-chain data already showed: one of six Asgard vaults was compromised. $10.7 million was gone.

Node operators securing the affected vault were slashed RUNE staked for unauthorized outgoing transactions. Rotations were paused. Chain listings were indefinitely postponed. Early indications showed no individual user transactions were affected.

THORSwap and Metro.exchange immediately halted THORChain routes.

Maya Protocol paused out of caution.

ATOM swaps went dark.

Alternative providers – Chainflip, NEAR Intents, Harbor, Flashnet, Garden, 1inch – continued operating unaffected.

As the ecosystem scrambled, on-chain records were already telling a different story.

Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6 – nine days before the exploit – titled "Sign complete ObservedTx wrapper to prevent proposer forgery."

The patch existed. It had a name and a timestamp. It was never deployed.

This commit would prove to be a thread in a larger fabric, not the root cause, but an early indicator of the gap between the known and the done.

Nine days separated a committed patch and a $10.7 million loss – so, who is responsible for what exists in that gap?

One Node, One Key, One Sweep

THORChain's vaults are secured by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes jointly produces a cryptographic signature without any single node holding the complete private key.

Distributed trust in theory. In practice, only as strong as each co-signer in the quorum.

The setup began weeks before the drain. A newly created Discord account – "Dinosauruss" – joined the THORChain developer Discord on May 1, asking how to quickly get a node rotated into the network.

The normal three-day rotation interval was delayed for unrelated reasons, forcing the attacker to wait. On May 13, two days before the attack, a brand new node operator holding approximately 635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.

Over the next two days, the node participated in routine GG20 signing ceremonies, gathering everything it needed.

THORChain's confirmed finding: the attacker exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material from vault participants to leak over time.

By accumulating enough leaked material across signing rounds, the attacker reconstructed the vault's full TSS private key and directly executed unauthorized outgoing transactions.

The proactive solvency checker checked for insolvency before signatures. No signature could be captured. When the vault was found to be short, the passive checker triggered, but by then, the funds were already gone.

The solvency checker worked as designed. The attack simply bypassed the layer it monitored.

To understand why the attacker could reconstruct the key in the first place, you need to understand what THORChain was running.

GG20 is a widely used threshold ECDSA protocol, commonly used in systems interacting with Bitcoin and Ethereum.

It also has a documented history of critical vulnerabilities.

CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks requiring only a single compromised co-signer to reconstruct the complete private key – silently, without triggering an abort, leaving no trace within normal protocol operations.

The specific mechanism used against THORChain has not been publicly confirmed to match any CVE, but both illustrate the class of attack to which the library is susceptible.

THORChain's TSS runs on a fork of the Binance tss-lib implementation of GG20.

As Taylor Monahan noted shortly after the attack was flagged: "Oh wow, looks like THORChain is running a tss-lib that is about 3 years and 2+ major security versions behind."

banteg published the most detailed technical analysis the day after the attack, directly examining THORChain's deployed fork, tss-lib v0.1.6, commit 287e1e2, used for thornode v3.18.0.

His finding: the key generation path accepts and persists peer Paillier material without establishing a well-formed two-prime Paillier modulus via MOD/FAC proof family.

Consequently, a malicious node can register a 2048-bit Paillier modulus that passes every check the library performs while containing factors known to the attacker.

Once an honest node persists this malformed key, every signing round that touches it exposes an oracle shape in the inspected code, leaking residues of other participants' long-term signing shares, which the attacker can accumulate and combine offline.

His harness tests confirmed the oracle shape in the inspected code.

jpthor saw this early, flagging GG20 as the most likely explanation within hours of the pause.

Charles Guillemet elaborated on the broader structural issue: in every published GG18 and GG20 attack, a single malicious or compromised co-signer is sufficient.

Not a majority, not a quorum, one.

If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.

jpthor has since laid out a three-step roadmap: patch GG20 to bring THORChain back online; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signatures to FROST.

He described GG20 as a "black box" with "many fragile assumptions" that "will always be a black box," the closest thing to an internal admission on the public record.

THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, with a target delivery of Q1/Q2 2026, which is why GG20 was still in production at the time of the attack. That work was not yet complete.

THORChain's rotation mechanism, where validators periodically rotate in and out of active Asgard vaults, made this possible.

Without it, the malicious operator had no path to join a vault, participate in signing ceremonies, and accumulate key material. The attacker didn't need to break the cryptography. They just needed to get in the room.

The investigation continues with THORSec and Outrider Analytics.

Law enforcement has been contacted. The attacker's identity remains unknown.

An incident report was published on May 20. A follow-up report will be released once the investigation is complete and a recovery plan is finalized.

What is known is the on-chain link between the node address, staking wallets, and receiving wallets, along with the confirmed mechanism – a cryptographic library years behind on security versions, running on a fork containing an implementation flaw capable of leaking vault key material to a patient malicious operator.

Malicious Node:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

THORChain's rotation mechanism exists to rotate trust; someone used it to buy time.

So, how many other GG20-based vaults in DeFi are sitting on the same unpatched library, waiting for the next patient operator?

Wiped Clean

Multiple chains, dozens of tokens, one address.

Whoever did it knew exactly where everything was and moved with a precision that doesn't suggest improvisation.

Before the network pause fully propagated, every ERC-20 token on Ethereum, BNB Chain, and Base was funneled to an attacker-controlled address. Bitcoin moved in parallel.

By the time ZachXBT posted his alert, the consolidation was complete.

QuillAudits published a full chain-by-chain breakdown on May 19.

The drain breakdown is as follows...

Malicious Activity on Ethereum

Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:

1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI

Attacker Address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5CF67F3e6970C0529122178075C0a94878bDA

Outgoing Transaction:

View All on Etherscan

Funds Sent To (approx. $6.77 million):

0xd477b69551f49C0519F9B18c55030676138890Bd