三团灭之后：THORChain 因一个未上线的补丁再失1070万美元

深潮TechFlow

特邀专栏作者

2026-05-25 04:48

Bài viết này có khoảng 10371 từ, đọc toàn bộ bài viết mất khoảng 15 phút

当维护推迟变成常态，责任该算在谁头上？

Tóm tắt AI

Mở rộng

核心观点：2026年5月15日，THORChain因未部署已知漏洞的补丁，导致Asgard金库被恶意节点入侵，损失超1070万美元。事件暴露了协议长期忽视安全更新、审计范围错位以及面对朝鲜黑客组织时的矛盾立场。
关键要素：
1. 攻击者通过新加入的恶意节点，利用THORChain运行的旧版GG20 TSS密码库漏洞，累积密钥材料后重建完整私钥，执行了未经授权的转出交易。
2. 一个针对该漏洞的补丁早在攻击前9天（5月6日）就已提交至GitLab，但未被部署至生产环境，导致攻击得以成功实施。
3. 损失覆盖至少9条链，包括比特币、以太坊、BSC等，总计约1070万美元。RUNE代币价格在消息公布后迅速下跌15%，市值蒸发约2700万美元。
4. 协议自2021年后未对核心TSS密码库进行过正式审计，而2025年的8次审计均集中于应用层（Rujira），核心基础设施的安全状态被忽视。
5. THORChain此前曾为朝鲜黑客组织Lazarus处理超过12亿美元的资金，并拒绝暂停相关交易，但在本次攻击后却主动暂停网络12小时42分钟。

Original Author: Rekt

Translation: TechFlow

Overview: Hacked three times in five years, USD 200 million insolvency, laundering USD 1.2 billion for North Korea, and even founder jpthor had his personal wallet drained of USD 1.2 million by North Korean hackers in a fake meeting scam. This wasn't bad luck—a fix for a known vulnerability sat in the code repository for nine days without being deployed. When maintenance delays become the norm, where does the blame lie?

Hacked three times in five years. A USD 200 million insolvency crisis. Plus USD 1.2 billion laundered for North Korea.

THORChain's relationship with North Korea runs deeper than most protocols would like to admit.

North Korea even repaid the favor, draining USD 1.2 million from co-founder jpthor's personal wallet in September 2025 via a fake meeting scam.

This doesn't look like a recipe for success. It looks like a recipe for disaster.

Then, on the morning of May 15, another USD 10.7 million was stolen.

At some point, the question stops being "how did this happen?" and becomes "why does anyone still expect a different outcome?"

On May 15, 2026, THORChain's Asgard vaults were rapidly drained across multiple chains.

THORChain's automated solvency checker triggered a pause—the only security upgrade born from the July 2021 disaster—and froze the network for 12 hours and 42 minutes.

The vault design worked. The funds were still gone.

RUNE dropped 15% before most of the world had even finished reading ZachXBT's Telegram post.

USD 27 million in market cap evaporated in minutes.

This is a protocol that stared into the abyss and kept building. But there's a limit to how many times you can call the same wound a "learning experience."

When a vulnerability type is documented, a fix exists, and the funds are still lost, at what point does a maintenance delay shift from negligence to liability?

ZachXBT saw it first.

Earlier on May 15, his Telegram channel posted a community alert: THORChain had likely been exploited on Bitcoin, Ethereum, BSC, and Base, with losses exceeding USD 10.7 million.

TRM Labs later confirmed the scope to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the initial four—and raised the total losses to over USD 11 million.

Arkham flagged the attacker's wallets.

But the drain was already complete.

PeckShield publicly confirmed: approximately USD 10 million was drained, including 36.75 BTC and about USD 7 million in assets across BNB Chain, Ethereum, and Base.

THORChain's own infrastructure moved before the team did.

THORChain's Mimir governance module flipped the transaction pause and signing pause parameters to active, and node suspension began running from block 26190429 for approximately 12 hours and 42 minutes.

No human decision required.

More than five hours after ZachXBT's announcement, THORChain released an official statement confirming what the on-chain data already showed: one of six Asgard vaults was compromised. USD 10.7 million was gone.

Node operators securing the affected vault were slashed for the unauthorized outgoing transaction. Rotations were paused. Chain listings were postponed indefinitely. Preliminary indications showed no individual user transactions were affected.

THORSwap and Metro.exchange immediately halted THORChain routing.

Maya Protocol paused out of caution.

ATOM trading went dark.

Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, 1inch—continued running, unaffected.

While the ecosystem scrambled, the on-chain record was already telling a different story.

Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6—nine days before the exploit—titled "Sign full ObservedTx wrapper to prevent proposer forging."

The fix existed. It had a name and a timestamp. It was never deployed.

This commit would prove to be one thread in a larger fabric—not the root cause, but an early indicator of the gap between knowing and doing.

Nine days separated a committed patch and a USD 10.7 million loss—so who is accountable for what existed in that gap?

One Node, One Key, One Sweep

THORChain's vaults are secured by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes collectively generates cryptographic signatures without any single node holding the full private key.

Distributed trust in theory. In practice, only as strong as every co-signer in the quorum.

The setup began weeks before the drain. A newly created Discord account—"Dinosauruss"—joined the THORChain developer Discord on May 1, asking how to get a node rotated into the network as quickly as possible.

For unrelated reasons, the normal three-day rotation interval was delayed, forcing the attacker to wait. On May 13, two days before the exploit, a brand-new node operator holding approximately 635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.

Over the next two days, that node participated in routine GG20 signing ceremonies, gathering everything it needed.

THORChain's confirmed findings: the attacker exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material of vault participants to leak over time.

By accumulating enough leaked material across signing rounds, the attacker reconstructed the vault's full TSS private key and directly executed unauthorized outgoing transactions.

The proactive solvency checker checks for insolvency before signing. No signature for it to catch. When a vault shortfall appeared, the passive checker triggered—but by then, the funds were already gone.

The solvency checker worked as designed. The exploit simply bypassed the layer it monitored.

To understand why the attacker could reconstruct the key in the first place, you need to understand what THORChain was running.

GG20 is a widely used threshold ECDSA protocol, commonly used in systems interacting with Bitcoin and Ethereum.

It also has a documented history of critical vulnerabilities.

CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks requiring only a single compromised co-signer to reconstruct the full private key—silently, without triggering aborts, leaving no trace in normal protocol operations.

The specific mechanism used against THORChain has not been publicly confirmed to match any CVE, but both illustrate the class of attack the library is vulnerable to.

THORChain's TSS runs on a fork of Binance's tss-lib implementing GG20.

As Taylor Monahan pointed out shortly after the exploit was flagged: "Yikes, looks like THORChain is running a tss-lib that's about 3 years and 2+ major security versions behind."

banteg published the most detailed technical analysis the day after the exploit, directly examining THORChain's deployed fork, tss-lib v0.1.6, commit 287e1e2, used in thornode v3.18.0.

His finding: the key generation path accepts and persists peer Paillier material without establishing proofs of a well-formed two-prime Paillier modulus (MOD/FAC proofs).

Consequently, a malicious node could register a 2048-bit Paillier modulus that passes every check the library performs, while containing factors known to the attacker.

Once an honest node persisted that malformed key, every signing round that touched it exposed an oracle shape in the checked code, leaking residuals of other participants' long-term signing shares that the attacker could accumulate and combine offline.

His harness tests confirmed the oracle shape in the checked code.

jpthor saw this early, flagging GG20 as the most likely explanation within hours of the pause.

Charles Guillemet articulated the broader structural issue: in every published GG18 and GG20 attack, a single malicious or compromised co-signer is sufficient.

Not a majority, not a quorum—one.

If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.

jpthor has since outlined a three-step roadmap: patch GG20 to bring THORChain back online; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signing to FROST.

He described GG20 as a "black box" with "many brittle assumptions" that "will always be a black box"—the closest thing to an internal admission in the public record.

THORChain began collaborating with Silence Labs in November 2025 to build a custom DKLS implementation, with a target delivery of Q1/Q2 2026. This is why GG20 was still in production at the time of the exploit. That work was not yet finished.

THORChain's rotation mechanism—the process by which validators periodically rotate in and out of active Asgard vaults—made this possible.

Without it, a malicious operator would have no path to join a vault, participate in signing ceremonies, and accumulate key material. The attacker didn't need to break the cryptography. They just needed to get in the room.

Investigations continue alongside THORSec and Outrider Analytics.

Law enforcement has been contacted. The attacker's identity remains unknown.

An exploit report was published on May 20. A follow-up report will be published once the investigation is complete and a recovery plan is finalized.

What is known: the on-chain links between the node address, staking wallets, and receiving wallets, and the confirmed mechanism—a cryptographic library years behind on security versions, running on a fork containing an implementation flaw capable of leaking vault key material to a patient, malicious operator.

Malicious node:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

THORChain's rotation mechanism exists to rotate trust. Someone used it to buy time.

So how many other GG20-based vaults in DeFi are sitting on the same unpatched library, waiting for the next patient operator?

Cleaned Out

Multiple chains, dozens of tokens, one address.

Whoever did this knew exactly where everything was and moved with a precision that suggests nothing was improvised.

Before the network pause could fully propagate, every ERC-20 token on Ethereum, BNB Chain, and Base was funneled to attacker-controlled addresses. Bitcoin moved in parallel.

By the time ZachXBT issued his alert, the consolidation was complete.

QuillAudits published a full chain-by-chain breakdown on May 19.

The drain unfolded as follows...

Malicious Activity on Ethereum

Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:

1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI

Attacker Address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5CF67F3e6970C0529122178075C0a94878bDA

Outgoing Transaction:

View all on Etherscan

Funds sent to (approx. USD 6.77M):

0xd477b69551f49C0519F9B18c55030676138890Bd