THORChain comes under fire after $10.7M GG20 exploit — governance opts to patch, not replace
THORChain is facing sharp criticism from security researchers and some investors after a $10.7 million exploit tied to its GG20 threshold-signature system. In a post-mortem published Wednesday, the cross-chain protocol said a malicious node operator exploited a flaw in GG20 and was able to reconstruct a full private key for one of the network’s vaults.
How the attack unfolded
- THORChain attributed the breach to “progressive key material leakage,” a failure that let the attacker bypass protections that are supposed to be enforced by distributing signing authority among multiple node operators.
- Within minutes, the protocol’s automated solvency checks suspended signing and trading across multiple chains, stopping further drains without manual intervention.
- Node operators coordinated via Discord to stop the network entirely and roll out a patch; THORChain says those emergency actions took roughly two hours.
- The protocol plans to slash the malicious validator node and protect unrelated node operators that happened to share the compromised vault.
Controversy over the recovery plan
Despite the emergency response and the patch, THORChain’s governance proposal ADR-028 recommends keeping GG20 in place with upgrades rather than replacing the signing framework outright. That decision sparked pushback from several analysts and investors.
- Pseudonymous analyst Bird posted on X that the exploit points to “a flaw in randomness generation or local signing isolation,” while also praising THORChain’s automated protections for limiting immediate losses.
- Investor “JP” argued on X that GG20 relies on “many brittle assumptions” and described the scheme as a “black box” that may remain hard to secure even after fixes.
What ADR-028 proposes
- Initial losses would be absorbed by protocol-owned liquidity (POL).
- Any remaining shortfall would be socialized across synth holders.
- Liquidity reserves would be rebuilt over time using a portion of protocol income, explicitly avoiding minting or selling additional THORChain tokens.
- Trading will remain paused until the vulnerability is fully resolved.
Bigger picture: a rising wave of sophisticated attacks
The THORChain exploit arrives amid an uptick in advanced attacks on crypto infrastructure. DefiLlama data show more than $634 million in exploits in April alone. Independent investigator ZachXBT was among the first to flag the THORChain incident before the protocol publicly stopped signing and trading.
Separately, blockchain security firm PeckShield disclosed that THORChain co-founder JP Thor lost about $1.3 million in a separate incident tied to a compromised Telegram account and a deepfake Zoom call. According to Thor’s account, attackers used a fake video feed impersonating a friend, ran a malicious script that copied files from his iCloud documents, then drained a MetaMask wallet that had been stored via an inactive Chrome profile and iCloud Keychain without triggering warnings.
Security researchers note that similar social-engineering and deepfake-enabled intrusions this year have been linked to North Korea–associated hacking groups. Earlier reporting and law enforcement attributions — including work by analytics firm TRM — tied a separate $1.5 billion theft from Bybit to North Korea-linked actors.
What this means for THORChain and the sector
THORChain’s automated defenses limited immediate damage and the governance path aims to avoid new token issuance to cover losses, but keeping GG20 — even updated — has exposed divisions between the protocol team and some security-focused community members. The incident also underscores how attackers are combining cryptographic exploits with sophisticated social-engineering campaigns, increasing pressure on protocols to tighten both core cryptography and personnel-facing attack surfaces.
Read more AI-generated news on: undefined/news
