THORChain: Network halted due to security incident, suspected single malicious node exploiting GG20 TSS vulnerability to steal funds

Odaily reported that THORChain posted on X platform that its developers released an incident update on Discord. Current evidence points to a newly joined node thor16uc...cn84q being associated with the attack, operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to be leaked over time, ultimately reconstructing the vault's private key and executing unauthorized outgoing fund transactions.

Regarding the network status, after multiple node operators executed 'make pause', the network has been halted. RUNE transfers and on-chain observation may resume within approximately 12 hours, but trading, LP operations, signatures, and other sensitive actions remain paused.

The recovery plan discussion includes slashing the affected node's bond, covering losses through Protocol Owned Liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation, and the Treasury is collecting forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or more.