In the dry, sunbaked plains of May 15, THORChain’s vaults became a stage for a farce of modern finance. A fresh-faced node operator, armed with nothing but a GG20 signing flaw and a two-day résumé, waltzed into the network and drained $10.7 million like a cowboy at a water hole. Developers, flustered and clutching their keyboards, hit every emergency button they could find, turning the protocol into a digital ghost town overnight.
The solvency system, that watchful sentinel of balances, caught the thief’s shadow within minutes. It froze the action across blockchains like a sheriff nailing a wanted poster to a saloon door. Node operators, now playing both judge and jury, voted to shutter the whole damn show. Only one of six Asgard vaults bled-20% of the protocol’s gold, but users’ pockets and LPs’ stakes? Safe as a cat in a treehouse.
THORChain’s first Exploit Report is now live.
A timeline, security layers, and what’s next, served up with a side of ADR-028.
– THORChain (@THORChain) May 21, 2026
The GG20’s Achilles’ Heel
The villain here is a validator node, thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, who joined the network on May 13. For two days, it played nice, signing transactions like a model citizen. Then, like a pickpocket in a crowd, it pieced together the vault’s private key from fragments, bypassing approvals and siphoning funds. GG20, the cryptographic system meant to split keys into pieces, had a leaky faucet-a flaw that let the attacker rebuild the key drop by drop.
GG20, a fork of Binance’s tss-lib, has been under a microscope for years. Researchers warned of vulnerabilities, and now those warnings echo louder than a church bell. Charles Guillemet, Ledger’s CTO, noted how a single bad actor could piece together enough data to crack the code. This exploit? A textbook case of TSSHOCK, the industry’s least favorite acronym.
THORChain, ever the optimist, had already been plotting a switch to DKLS, a newer system. Since November 2025, they’d been cozying up with Silence Labs to build a version fortified like a dragon’s hoard. Too late, it seems.
Where the Loot Went
The thief’s treasure map led to Bitcoin, Ethereum, BNB Chain, and Base. Post-heist, the attacker’s wallets gleamed with 3,443 ETH, 36.85 BTC, and 96.6 BNB. They consolidated the loot into two addresses, like a pirate burying treasure chests. TRM Labs tracked the trail across nine chains, but the main haul? Four chains, four grins.
Emergency Brakes Save the Day
THORChain’s solvency system, that digital watchdog, sprang into action when losses hit 1%. Within 52 minutes, trading and signing froze across Ethereum, Avalanche, BSC, Base, Dogecoin, and Gaia. It was a cold, swift shutdown, like yanking the plug on a malfunctioning toaster.
Node operators, now communicating via Discord and Mimir governance, stacked manual pauses like bricks. HALTTRADING, HALTSIGNING, HALTCHAINGLOBAL-each button press a desperate prayer. Operators flagged suspicious transactions, and within an hour, the network was a museum of frozen activity.
Forensic analysis linked the malicious node to Ethereum addresses holding the stolen goods. THORChain, still sweating bullets, works with Outrider Analytics and law enforcement. Patch v3.18.1 now guards the remaining vaults, while ADR-028 debates recovery plans. The community, ever the optimist, hopes to reclaim the loot. Or at least write a better story.
Read More
- Pi Hotel Vietnam: First to Accept Pi Coin Payments in Real-World Transactions
- Silver Rate Forecast
- USD COP PREDICTION
- USD TRY PREDICTION
- Gold Rate Forecast
- The Quiet Rise of Ethereum: Is it Really Gone or Just Getting Started?
- USD IDR PREDICTION
- DOGE PREDICTION. DOGE cryptocurrency
- You Won’t Believe What XRP Is Up To Now-Is This the Big Comeback?
- USD ILS PREDICTION
2026-05-21 15:36