三度团灭之后：THORChain 因一个未上线的补丁再失1070万美元

深潮TechFlow

特邀专栏作者

2026-05-25 04:48

이 기사는 약 10371자로, 전체를 읽는 데 약 15분이 소요됩니다

THORChain, 1070만 달러 추가 손실… 미배포된 패치가 부른 세 번째 참사

AI 요약

펼치기

유지보수 지연이 일상화되었을 때, 책임은 누구에게 있을까?

Original Author: Rekt

Original Translation: TechFlow

Preface: Robbed three times in five years, $200 million in insolvency, $1.2 billion laundered for North Korea, and even founder jpthor's personal wallet was drained of $1.2 million by North Korean hackers through a fake meeting scam. This time, it wasn't bad luck; a patch for a known vulnerability sat in the code repository for nine days without being deployed. When maintenance delays become the norm, where does the responsibility lie?

Robbed three times in five years. Plus a $200 million insolvency crisis. Plus $1.2 billion laundered for North Korea.

THORChain's relationship with North Korea runs deeper than most protocols are willing to admit.

North Korea even returned the favor, stealing $1.2 million from co-founder jpthor's personal wallet in September 2025 via a fake meeting scam.

This doesn't look like a recipe for success; it looks more like a harbinger of disaster.

Then, on the morning of May 15th, another $10.7 million was stolen.

At a certain point, the question is no longer "how did this happen," but "why is anyone still expecting things to be different?"

On May 15, 2026, THORChain's Asgard vaults were rapidly drained across multiple chains.

THORChain's own automatic solvency checker triggered a pause—the only security upgrade born from the July 2021 disaster—and froze the network for 12 hours and 42 minutes.

The vault's design was sound. The funds were still gone.

RUNE dropped 15% before most of the world finished reading ZachXBT's Telegram post.

$27 million in market cap evaporated within minutes.

This is a protocol that stared into the abyss and kept building. But there's a limit to calling the same wound a "learning experience" over and over.

When the vulnerability type is documented, a patch already exists, and funds are still lost, at what point does deferred maintenance shift from negligence to culpability?

ZachXBT saw it first.

Earlier on May 15th, his Telegram channel posted a community alert: THORChain was likely exploited on Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10.7 million.

TRM Labs later expanded the confirmed scope to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the initial four—and revised total losses upwards to over $11 million.

Arkham flagged the attacker's wallet.

But the drain was already complete.

PeckShield publicly confirmed: approximately $10 million drained, including 36.75 BTC and about $7 million in assets spread across BNB Chain, Ethereum, and Base.

THORChain's own infrastructure acted before the team did.

THORChain's Mimir governance module flipped the transaction pause and signature pause parameters to active, halting nodes starting from block 26190429 for roughly 12 hours and 42 minutes.

No human decision required.

More than 5 hours after ZachXBT's announcement, THORChain issued an official statement confirming what the on-chain data already showed: one of the six Asgard vaults had been compromised. $10.7 million was gone.

Node operators securing the affected vault were slashed their staked RUNE due to unauthorized outgoing transactions. Rotations paused. Chain listings postponed indefinitely. Preliminary indications showed no individual user transactions were affected.

THORSwap and Metro.exchange immediately halted THORChain routes.

Maya Protocol paused out of caution.

ATOM swaps went dark.

Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, 1inch—continued operating, unaffected.

As the ecosystem scrambled, the on-chain record was already telling a different story.

Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6th—nine days before the exploit—titled "sign full ObservedTx wrapper to prevent proposer equivocation".

The patch existed. It had a name and a timestamp. It was never released.

This commit would prove to be one thread in a larger fabric, not the root cause, but an early indicator of the gap between what was known and what was done.

Nine days separated a committed patch from a $10.7 million loss—so who exactly is responsible for what existed in that gap?

One Node, One Key, One Sweep

THORChain's vaults are secured by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes collectively generates cryptographic signatures without any single node possessing the complete private key.

Distributed trust in theory. In practice, it's only as strong as every co-signer in the quorum.

The setup began weeks before the drain. A newly created Discord account—"Dinosauruss"—joined the THORChain developer Discord on May 1st, asking how to get a node rotated into the network as quickly as possible.

For unrelated reasons, the normal three-day rotation interval was delayed, forcing the attacker to wait. On May 13th, two days before the exploit, a brand-new node operator with approximately 635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.

Over the next two days, the node participated in regular GG20 signing ceremonies, gathering everything it needed.

THORChain's confirmed findings: the attacker exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material of vault participants to leak over time.

By accumulating enough leaked material during signing rounds, the attacker reconstructed the vault's full TSS private key and directly executed unauthorized outgoing transactions.

The active solvency checker checked for insolvency before signing. There was no signature to capture. The passive checker activated when a shortfall appeared in the vault, by which time the funds were already gone.

The solvency checker worked as designed. The exploit simply bypassed the layer it monitored.

To understand why the attacker could reconstruct the key in the first place, you need to understand what THORChain was running.

GG20 is a widely used threshold ECDSA protocol, commonly found in systems interacting with Bitcoin and Ethereum.

It also has a documented history of critical vulnerabilities.

CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks that require only a single compromised co-signer to reconstruct the full private key—silently, without triggering an abort, leaving no trace during normal protocol operations.

The specific mechanism used against THORChain hasn't been publicly confirmed to match any CVE, but both illustrate the class of vulnerability the library is susceptible to.

THORChain's TSS runs on a fork of Binance's tss-lib implementing GG20.

As Taylor Monahan noted shortly after the exploit was flagged: "Oh dear, it looks like THORChain is running a tss-lib that is approximately 3 years and 2+ major security versions behind."

banteg published the most detailed technical analysis the day after the exploit, directly examining THORChain's deployed fork, tss-lib v0.1.6, commit 287e1e2, used for thornode v3.18.0.

His findings: the key generation path accepts and persists peer Paillier material without establishing a well-formed two-prime Paillier modulus via the MOD/FAC proof family.

Consequently, a malicious node can register a 2048-bit Paillier modulus that passes every check the library performs while containing factors known to the attacker.

Once honest nodes persist this malformed key, every signing round touching it exposes an oracle shape in the checked code, leaking residuals of other participants' long-term signing shares that the attacker can accumulate and combine offline.

His harness tests confirmed the oracle shape in the checked code.

jpthor saw this early, flagging GG20 as the most likely explanation within hours of the pause.

Charles Guillemet articulated the broader structural issue: in every published GG18 and GG20 attack, a single malicious or compromised co-signer was sufficient.

Not a majority, not a quorum, just one.

If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.

jpthor has since laid out a three-step roadmap: patch GG20 to get THORChain back online; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signing to FROST.

He described GG20 as a "black box" with "many fragile assumptions" that "will forever be a black box"—the closest thing to an internal admission in the public record.

THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, targeting delivery for Q1/Q2 2026. That's why GG20 was still in production at the time of the exploit. The work wasn't finished.

THORChain's rotation mechanism—the process by which validators periodically rotate in and out of active Asgard vaults—made this possible.

Without it, a malicious operator would have no path to join a vault, participate in signing ceremonies, and accumulate key material. The attacker didn't need to break the cryptography. They just needed to get in the room.

The investigation continues with THORSec and Outrider Analytics.

Law enforcement has been contacted. The attacker's identity remains unknown.

An incident report was published on May 20th. A follow-up report will be released once the investigation is complete and a recovery plan is finalized.

What is known is the on-chain link between the node address, staking wallets, and receiving addresses, along with the confirmed mechanism—a cryptographic library years behind in security versions, running on a fork with an implementation flaw capable of leaking vault key material to a patient malicious operator.

Malicious node:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

THORChain's rotation mechanism exists to rotate trust. Someone used it to buy time.

So how many other GG20-based vaults in DeFi sit on the same unpatched library, waiting for the next patient operator?

Wiped Clean

Multiple chains, dozens of tokens, one address.

Whoever did it knew exactly where everything was and moved with a precision that didn't suggest improvisation.

Before the network pause fully propagated, every ERC-20 token on Ethereum, BNB Chain, and Base was funneled to the attacker's controlled address. Bitcoin moved in parallel.

By the time ZachXBT published his alert, the consolidation was complete.

QuillAudits published a full chain-by-chain breakdown on May 19th.

The drain looked like this...

Malicious Activity on Ethereum

Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:

1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI

Attacker Address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5CF67F3e6970C0529122178075C0a94878bDA

Outgoing Transactions:

View all on Etherscan

Funds sent to (approx. $6.77 million):

0xd477b69551f49C0519F9B18c55030676138890Bd