THORChain GG20 MPC Vault Exploit (May 2026)
Summary
On May 15, 2026, THORChain suffered a targeted cryptographic exploit in which a malicious node operator reconstructed a full private key from a single Asgard vault by exploiting incremental key material leakage in the GG20 Threshold Signature Scheme, draining approximately $10.7 to $11 million across nine blockchain networks. The protocol executed an automated and community-coordinated emergency halt, published a formal exploit report on May 21, 2026, and resumed trading on June 23, 2026, after a 39-day shutdown and an 11-stage security overhaul. The incident is the third major security breach in THORChain's history and exposed systemic risks in GG20-based MPC implementations.
Connected Entities
3 entities · 10 linked investigations- DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS→mentioned with→THORChain GG20 MPC Vault Exploit (May 2026)(50%)
- rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz→mentioned with→THORChain GG20 MPC Vault Exploit (May 2026)(50%)
- + 1 more
Timeline(12 events)
2021-06-29
THORChain suffers first major exploit via fake deposit attack; approximately $350,000 lost.
SlowMist Analysis — Medium2021-07-16
THORChain ETH Router exploit #1 drains approximately $8 million.
THORChain Post-Mortem — Medium2021-07-23
THORChain ETH Router exploit #2 drains approximately $8 million; third incident in one summer.
THORChain Post-Mortem — Medium2025-11-01
THORChain engages Silence Laboratories to develop a custom DKLS threshold signature implementation to replace GG20, targeting Q1/Q2 2026 delivery.
Cryptopolitan — THORChain node operators vote on network restart plan2026-05-13
Malicious node operator (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) joins THORChain network with approximately 635,000 RUNE bonded collateral.
THORChain Exploit Report #12026-05-15
Exploit executed: attacker reconstructs full private key for one Asgard vault using GG20 key material leakage and drains approximately $10.7 to $11 million across at least nine blockchains.
CoinDesk — Thorchain halts trading after $10 million cross-chain exploit2026-05-15
Automated solvency checker triggers within 52 minutes of exploit onset, halting signing and trading on Ethereum, Avalanche, BSC, Base, Dogecoin, and Cosmos chains. RUNE declines approximately 12%.
THORChain Exploit Report #12026-05-15
Node operators coordinate on Discord to issue manual pauses and Mimir governance votes; network-wide halt across trading, signing, chain observation, and churning achieved within approximately two hours.
THORChain Exploit Report #12026-05-15
Emergency patch v3.18.1 released to safeguard remaining vaults.
CryptoBriefing — THORChain resumes trading after five-week halt2026-05-21
THORChain publishes Exploit Report #1, detailing the full incident timeline, GG20 vulnerability, and governance recovery pathway via ADR-028.
THORChain Exploit Report #12026-05-22
ADR-028 governance vote opened to node operators, proposing loss absorption through protocol-owned liquidity and a 10% bounty for fund return.
BanklessTimes — THORChain Opens ADR028 Vote2026-06-23
THORChain resumes full trading after 39-day shutdown, completing an 11-stage reactivation process including security audits, vault migration, and node keyshare verification. RUNE trades near $0.42.
CryptoTimes — THORChain Reopens 39 Days After $10.7M ExploitDecision Log
- hash: 777mRnTfoHrKN1xyges6aehTkcoFhKcda3GL4Vq2Q1GZ
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/29/2026, 11:04:27 PM
last updated: 6/29/2026, 11:04:38 PM
avoid.net — verified advice for a post-truth world