THORChain: Network Paused Due to Security Incident, Suspected Single Malicious Node Exploiting GG20 TSS Vulnerability to Steal Funds

Odaily reported that THORChain posted on platform X, stating that its developers have released an incident update on Discord. Current evidence points to a newly joined node, thor16uc...cn84q, being associated with the attack, which was operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to be leaked over time, ultimately allowing the reconstruction of the vault's private keys to execute unauthorized outgoing transactions.

Regarding the network status, the network has been paused after multiple node operators executed the `make pause` command. RUNE transfers and on-chain observation may resume within approximately 12 hours, but trading, LP operations, signing, and other sensitive operations remain suspended.

Discussions on recovery plans include slashing the affected node's bond, covering the losses with Protocol-Owned Liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation, while the Treasury is collecting forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or more.