THORChain Suffers $10.7M Vault Exploit via Rogue Validator
THORChain lost $10.7 million on May 21, after a newly admitted validator node manipulated the protocol’s GG20 threshold-signing mechanism to drain a vault. The protocol published its exploit report on the same day, identifying the breach as the work of a single rogue operator.
The incident is the largest single-event loss THORChain has disclosed in over two years.
How the THORChain Vault Exploit Unfolded
The attacker gained admission as a new validator node and then abused the GG20 signing protocol to authorize an unauthorized vault transfer. GG20 is a threshold-signature scheme, a cryptographic method that requires a defined minimum number of participating parties to co-sign a transaction before funds can move.
By controlling or spoofing enough signing shares during the key ceremony, the rogue node was able to satisfy that threshold and execute the drain without triggering an immediate on-chain alert. THORChain’s exploit report confirmed the full $10.7 million loss came from a single vault targeted in this way.
Also Read: EasyJet CEO Assures Passengers Summer Flights Are Safe Despite Fuel Price Surge
Background
THORChain is a decentralized cross-chain liquidity protocol that allows users to swap native assets across blockchains, including Bitcoin (BTC) and Ethereum (ETH), without relying on wrapped tokens or centralized intermediaries.
Validators in the network pool liquidity and participate in the threshold-signing process to authorize outbound transactions. The protocol has faced security scrutiny before.
In 2021, THORChain suffered two separate exploits within weeks of each other, losing a combined total of roughly $13 million. Those incidents led to a security overhaul and a period of halted trading.
A further incident in early 2024 drew criticism when the protocol briefly paused to address concerns about illicit fund flows, raising governance questions across the broader decentralized finance community.
Also Read: Nvidia Posts Record Quarter but Shares Slip After Hours
What Comes Next
The immediate questions center on fund recovery, validator vetting, and whether the GG20 implementation requires a patch or a full redesign. THORChain’s node-admission process will face scrutiny, as the attacker gained entry as a new node rather than compromising an existing participant.
The protocol has not yet disclosed whether a network halt is planned. Traders holding RUNE (RUNE), THORChain’s native token used to bond validators and provide liquidity, will be watching for governance votes on compensation and any proposed changes to the signing architecture.
Until the protocol confirms a remediation path, the exploit report signals unresolved systemic risk in the validator admission process.
Read Next: Ethereum ETF Outflows Hit $432M Over Eight Days as ETH Tests $2,100
