THORChain Exploit Linked to GG20 Signature Flaw and Malicious Node Attack

THORChain has confirmed that a malicious node exploited a vulnerability in its GG20 threshold signature system, leading to the theft of around $10.7 million from one of its vaults. The GG20 system is designed to split private key control across multiple nodes so no single operator can access full signing power. However, investigators found that “progressive key material leakage” allowed the attacker to reconstruct a complete private key and drain funds.

Automated Safeguards Halt Further Losses

The protocol’s automatic solvency checks activated within minutes of the exploit, stopping signing and trading activity across multiple chains. A full network halt was later coordinated by node operators through Discord, followed by a security patch deployment. THORChain confirmed that these safeguards prevented additional losses and limited the impact of the attack.

Recovery Plan and Community Debate Over GG20 Security

The protocol is now considering recovery options under governance proposal ADR-028, which suggests covering losses through protocol-owned liquidity without minting or selling RUNE tokens. The attacker has also been offered a bounty for returning funds. While some analysts praised the emergency response system, others warned that GG20 may have structural weaknesses that require deeper redesign. RUNE prices fell 15.5% after the exploit before a slight recovery.