THORChain Loses $10.8 Million After Malicious Validator Exploits GG20 System
THORChain lost approximately $10.8 million on May 15 after a newly added validator node allegedly exploited the protocol’s GG20 threshold signature scheme, reconstructing a vault key and draining funds from the network. The incident is the largest single security failure THORChain has reported in over two years and raises immediate questions about the validator admission process on the cross-chain liquidity protocol.
How the Exploit Unfolded
THORChain’s team said the attacker added a node to the validator set, then used a flaw in the GG20 threshold signature system to reconstruct a private key controlling a network vault, according to a report published May 15 by The Cryptocurrency Times.
The GG20 system, a cryptographic scheme that distributes key-signing authority across multiple validators so no single party holds a complete private key, is meant to prevent exactly this type of unilateral fund access. The attacker’s ability to reconstruct the key suggests either a protocol-level flaw in the GG20 implementation or collusion across multiple validator positions.
The native token RUNE (RUNE) fell sharply in the hours following the disclosure.
THORChain developers said they were investigating the scope of the breach and had paused certain network functions to limit further exposure.
Also Read: UK Borrowing Costs Hit 18-Year High as Burnham Leadership Bid Rattles Markets
Background
THORChain is a decentralized cross-chain liquidity protocol that lets users swap native assets across blockchains without wrapping tokens or using centralized intermediaries. The network has suffered previous security incidents.
In 2021, two separate exploits drained a combined $13 million from the protocol, forcing emergency halts and a multi-week recovery process. The protocol returned to full operation and grew its total value locked substantially through 2023 and 2024, making Thursday’s breach a significant setback for a project that had built a strong rehabilitation narrative.
The GG20 vulnerability category is not new to the industry.
Researchers flagged theoretical weaknesses in certain threshold signature implementations as far back as 2023, and at least two other protocols have patched related issues in the past 18 months.
Also Read: Babylon Bitcoin Staking Reaches $4 Billion in Total Value Locked One Year After Launch
What Comes Next
THORChain has not published a full post-mortem or confirmed the total funds recovered, if any. The protocol’s community will need to decide whether to compensate affected liquidity providers, a process that previously required a governance vote and extended remediation timelines.
Any compensation plan would likely put pressure on the RUNE token through dilution or treasury drawdowns. Validators and liquidity providers face elevated counterparty risk until the team closes the GG20 implementation gap and tightens node admission controls.
Read Next: LAB Token Drops 36% in 24 Hours as AI Narrative Tokens Face a Sector Selloff
