三度团灭之后：THORChain 因一个未上线的补丁再失1070万美元

深潮TechFlow

特邀专栏作者

2026-05-25 04:48

本文約10371字，閱讀全文需要約15分鐘

After being devastated three times: THORChain loses another $10.7 million due to an unapplied patch

AI總結

展開

When delayed maintenance becomes the norm, who is to blame?

Original Author: Rekt

Original Translation: TechFlow

Introduction: Three hacks in five years, a $200 million insolvency crisis, $1.2 billion laundered for North Korea, and even founder jpthor's personal wallet was drained of $1.2 million by North Korean hackers using a fake meeting scam. This time it's not bad luck—a patch for a known vulnerability sat in the code repository for nine days without being deployed. When maintenance delays become the norm, who bears the responsibility?

Three hacks in five years. Plus a $200 million insolvency crisis. And $1.2 billion laundered for North Korea.

THORChain's relationship with North Korea runs deeper than most protocols are willing to admit.

North Korea even returned the favor, draining $1.2 million from co-founder jpthor's personal wallet in September 2025 via a fake meeting scam.

This doesn't look like a recipe for success. It looks like a recipe for disaster.

Then on the morning of May 15, another $10.7 million was stolen.

At a certain point, the question stops being "how did this happen" and becomes "why is anyone still expecting a different outcome"?

On May 15, 2026, THORChain's Asgard vaults were rapidly drained across multiple chains.

THORChain's own automatic solvency checker triggered a pause—the only security upgrade born from the July 2021 catastrophe—and froze the network for 12 hours and 42 minutes.

The vault's design was sound. The funds were still gone.

RUNE dropped 15% before most of the world had finished reading ZachXBT's Telegram post.

Market cap evaporated by $27 million in minutes.

This is a protocol that stared into the abyss and kept building. But there's a limit to how many times the same wound can be called a "learning experience."

When the vulnerability type is documented, the patch already exists, and the funds still disappear, at what point does deferred maintenance shift from negligence to dereliction?

ZachXBT saw it first.

Early on May 15, his Telegram channel posted a community alert: THORChain was likely exploited on Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10.7 million.

TRM Labs later confirmed the scope extended to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the initial four—and revised total losses upwards to over $11 million.

Arkham tagged the attacker's wallets.

But the draining was already complete.

PeckShield publicly confirmed: approximately $10 million drained, including 36.75 BTC and ~$7 million in assets spread across BNB Chain, Ethereum, and Base.

THORChain's own infrastructure moved before the team did.

THORChain's Mimir governance module flipped the transaction pause and signature pause parameters to active, and validators halted starting from block 26190429 for approximately 12 hours and 42 minutes.

No human decision was needed.

More than 5 hours after ZachXBT's announcement, THORChain released an official statement confirming what the on-chain data already showed: one of six Asgard vaults was breached. $10.7 million gone.

Node operators protecting the affected vault were slashed RUNE for unauthorized outgoing transactions. Rotations paused. On-chain listing postponed indefinitely. Initial indications showed no individual user transactions were impacted.

THORSwap and Metro.exchange immediately stopped THORChain routing.

Maya Protocol paused out of caution.

ATOM trading went dark.

Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, 1inch—continued running, unaffected.

As the ecosystem scrambled, on-chain records were already telling a different story.

Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6—nine days before the attack—titled "Sign full ObservedTx wrapper to prevent proposer forgery."

The patch existed. It had a name and a timestamp. It was never released.

This commit would prove to be one thread in a larger fabric, not the root cause but an early indicator of the gap between known and done.

Nine days separated a committed patch and a $10.7 million loss—so who, exactly, is responsible for what exists in that gap?

One Node, One Key, One Sweep

THORChain's vaults are secured by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes collectively produces cryptographic signatures without any single node holding the full private key.

Distributed trust in theory. In practice, only as strong as every co-signer in the quorum.

The setup began weeks before the drain. A newly created Discord account—"Dinosauruss"—joined the THORChain developer Discord on May 1, asking how to get a node rotated into the network as quickly as possible.

For unrelated reasons, the normal three-day rotation interval was delayed, forcing the attacker to wait. On May 13, two days before the attack, a brand-new node operator with ~635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.

Over the next two days, that node participated in regular GG20 signing ceremonies, gaining everything it needed.

THORChain's confirmed findings: the attacker exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material of vault participants to leak over time.

By accumulating enough leaked material across signing rounds, the attacker reconstructed the vault's full TSS private key and executed unauthorized outgoing transactions directly.

The active solvency checker verified solvency before signing. No signature could capture that. The passive checker activated when the vault came up short, by which time the funds were already gone.

The solvency checker worked exactly as designed. The attack simply bypassed the layer it monitored.

To understand why the attacker could reconstruct the key in the first place, you must understand what THORChain was running.

GG20 is a widely used threshold ECDSA protocol, commonly deployed in systems that interact with Bitcoin and Ethereum.

It also has a documented history of critical vulnerabilities.

CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks requiring only a single compromised co-signer to reconstruct the full private key—silently, without triggering aborts, leaving no trace in normal protocol operation.

The specific mechanism used against THORChain has not been publicly confirmed to match any CVE, but both demonstrate the class of attack to which the library is susceptible.

THORChain's TSS runs on a fork of Binance's tss-lib implementing GG20.

As Taylor Monahan noted shortly after the exploit was flagged: "Oh dear, looks like THORChain is running a tss-lib that is roughly 3 years and 2+ major security versions behind."

banteg published the most detailed technical analysis the day after the attack, directly examining THORChain's deployed fork, tss-lib v0.1.6, commit 287e1e2, used in thornode v3.18.0.

His finding: the key generation path accepts and persists peer Paillier material without establishing a well-formed two-prime Paillier modulus via MOD/FAC proofs.

Consequently, a malicious node can register a 2048-bit Paillier modulus that passes every check the library performs, while containing factors known to the attacker.

Once honest nodes persist this malformed key, every signing round touching it exposes an oracle in the checked code that leaks residuals of other participants' long-term signing shares, which the attacker can accumulate and combine offline.

His harness tests confirmed the oracle shape in the checked code.

jpthor saw this early, flagging GG20 as the most likely explanation within hours of the pause.

Charles Guillemet articulated the broader structural issue: in every published GG18 and GG20 attack, a single malicious or compromised co-signer suffices.

Not a majority, not a quorum, one.

If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.

jpthor has since outlined a three-step roadmap: patch GG20 to bring THORChain back online; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signatures to FROST.

He described GG20 as a "black box" with "many fragile assumptions" that "will always be a black box," the closest thing to an internal admission on the public record.

THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, targeting delivery in Q1/Q2 2026—which is why GG20 was still in production at the time of the attack. That work was not yet complete.

THORChain's rotation mechanism, the process by which validators regularly rotate in and out of active Asgard vaults, made this possible.

Without it, the malicious operator had no path to join a vault, participate in signing ceremonies, and accumulate key material. The attacker didn't need to break the cryptography. They just needed to get into the room.

The investigation continues with THORSec and Outrider Analytics.

Law enforcement has been contacted. The attacker's identity remains unknown.

An exploit report was released on May 20. A follow-up report will be published once the investigation is complete and a recovery plan is finalized.

What is known is the on-chain link between the node address, the staking wallet, and the receiving wallet, along with the confirmed mechanism—a cryptographic library years behind on security versions, running on a fork containing an implementation flaw capable of leaking vault key material to a patient malicious operator.

Malicious node:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

THORChain's rotation mechanism exists to rotate trust. Someone used it to buy time.

So how many other DeFi protocols running GG20-based vaults are sitting on the same unpatched library, waiting for the next patient operator?

Swept Clean

Multiple chains, dozens of tokens, one address.

Whoever did this knew exactly where everything was and moved with a precision that does not suggest improvisation.

Before the network pause had fully propagated, every ERC-20 token on Ethereum, BNB Chain, and Base was consolidated to attacker-controlled addresses. Bitcoin moved in parallel.

By the time ZachXBT posted his alert, consolidation was complete.

QuillAudits published a full chain-by-chain breakdown on May 19.

The drain was as follows...

Malicious Activity on Ethereum

Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:

1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI

Attacker Address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5CF67F3e6970C0529122178075C0a94878bDA

Outgoing Transactions:

View all on Etherscan

Funds sent to (~$6.77 million):

0xd477b69551f49C0519F9B18c55030676138890Bd