TL;DR:
- THORChain suffered a $10.7 million exploit caused by a flaw in its GG20 threshold signature system and a malicious operator node.
- A malicious node reconstructed the full private key of a vault through progressive leakage of cryptographic material, draining the funds.
- Proposal ADR-028 plans to absorb losses using the protocol’s own liquidity, without minting or selling RUNE tokens.
The THORChain exploit, in which approximately $10.7 million were lost from one of the protocol’s vaults, originated in the combination of two factors: a vulnerability in the GG20 threshold signature system and the actions of a malicious node. The protocol itself confirmed this in a post-mortem report.
The GG20 scheme distributes control of private keys across multiple node operators so that none can access a complete key individually. However, the detected flaw allowed the malicious node to reconstruct the full private key of a vault through what the report describes as “progressive leakage of material“. The breach was exposed before any human mechanism could intervene.
THORChain Incident Update #4
Following the events of May 15th, the community has been hard at work defining a path forward. ADR028 is now published and a vote is open for Node Operators.🔹 The Recovery Plan 🔹
The protocol will absorb the loss first through Protocol-Owned…— THORChain (@THORChain) May 22, 2026
Automated Systems Acted Swiftly
The protocol’s automatic solvency controls activated within minutes and halted signing and trading operations across multiple chains without human intervention. Node operators then coordinated through Discord a full network shutdown, completed within two hours of the incident. A patch was deployed to fix the vulnerability.
The case became publicly known a week earlier, when blockchain investigator ZachXBT flagged the $10 million exploit, moments before THORChain announced the full suspension of operations. A sharp surge in attacks has been recorded across the sector: according to DefiLlama data, exploits generated more than $634 million in losses in April alone.
The THORChain Community Opts for a Recovery Without Selling RUNE
THORChain published governance proposal ADR-028, currently open for voting among node operators. The plan contemplates absorbing losses first with the protocol’s own liquidity and distributing the remainder among synth holders, without minting or selling RUNE tokens. A portion of protocol revenues would be redirected to replenish that liquidity over time.
The protocol also offered a bounty for the return of the stolen funds and announced it will penalize the malicious node while protecting innocent nodes located in the same vault. ADR-028 proposes maintaining the GG20 framework in a patched version, a decision that generated divided reactions.
