THORChain has confirmed that a malicious node operator exploited a vulnerability in its GG20 threshold signature system, draining approximately $10.7 million from one of the protocol's vaults.
The GG20 scheme splits key control across multiple node operators. The attacker gradually reconstructed a full private key for one vault through progressive key material leakage.
Automatic solvency checks triggered within minutes, halting signing and trading across multiple chains. Node operators coordinated a full network halt within two hours and deployed a patch.
The blockchain investigator ZachXBT first flagged the exploit last week.
The incident is part of a resurgence in crypto exploits, which stole over $634 million in April.
THORChain has proposed a recovery path through community consensus, outlined in governance proposal ADR-028. The plan would absorb losses via protocol-owned liquidity and spread the remainder across synth holders, without minting or selling RUNE tokens.
A recovery bounty has been offered for the return of stolen funds. The malicious node will be slashed, while innocent nodes in the same vault are protected.
ADR-028 proposes keeping the patched GG20 framework. Some analysts praised the auto-safeguards, while others remain critical, calling GG20 a "black box" with brittle assumptions.
The RUNE token fell 15.5% in the week after the exploit, recovering 4% in the last 24 hours.