TP-2026-0337 medium AI Draft C

THORChain GG20 Vault Exploit and Network Halt, May 2026

Date May 15, 2026

Attack Type Financial Sector Cryptocurrency / decentralized finance

Geography Global

Threat Actor Unknown

Attribution A6

Confidence C

Summary

On May 15, 2026, THORChain reported a targeted exploit that drained approximately $10.7 million from one network vault. THORChain said the attacker was a newly churned node operator who entered the active set two days earlier and exploited a vulnerability in the GG20 Threshold Signature Scheme used by the protocol’s vault-signing process.

THORChain’s automatic solvency detection triggered within minutes and halted signing and trading across multiple chains. Node operators then added manual pauses and Mimir governance votes, bringing trading, signing, chain observation, and churning to a controlled halt while the incident was investigated.

The project reported that four other vaults were unaffected and that EdDSA-based chains such as SOL were not vulnerable to the same class of attack. Attribution remains unknown in public reporting; THORChain described coordination with specialized entities and law enforcement but did not identify an actor.

Technical Analysis

THORChain vaults use threshold-signature controls rather than a single private key. In the affected design, a set of node operators jointly produced signatures through the GG20 Threshold Signature Scheme. THORChain said the May 15 incident involved a newly churned node operator assigned to one of the vaults after joining the active validator set.

According to THORChain’s May 20 analysis, the attacker reconstructed enough key material to sign outbound transactions directly from the targeted vault. That bypassed the normal GG20 signing ceremony because the attacker could issue transactions with the reconstructed vault key rather than asking the live validator quorum to complete a signing round.

The protocol’s reactive solvency checker detected a mismatch between expected and actual vault balances after the unauthorized outbound transactions had already left the vault. THORChain said this detection worked as designed by triggering chain-level halts, but it could not prevent the already signed transactions because the proactive check did not see the transaction before it was broadcast.

THORChain released patch v3.18.1 as a precaution for the remaining vaults while the root-cause investigation continued. The project also said the path for recovery of lost funds would be decided through community governance under ADR-028.

Attack Chain

Stage 1: Node entry into the active set

THORChain reported that a newly churned node operator entered the active validator set on May 13, 2026. The node was assigned to one vault, as active nodes are distributed across vaults through the protocol’s normal rotation process.

Stage 2: Participation in signing ceremonies

Over the following two days, the node participated in routine GG20 signing ceremonies. THORChain’s report describes this period as preparation for exploiting the targeted vault.

Stage 3: Vault-key reconstruction and outbound transactions

On May 15, the attacker signed and broadcast outbound transactions from the targeted vault. THORChain reported that approximately $10.7 million was drained from one vault, while the remaining four vaults were unaffected.

Stage 4: Automatic solvency-triggered halts

Within minutes, the reactive solvency checker detected that vault balances no longer matched expected holdings. Automatic protocol controls halted signing and trading across multiple chains.

Stage 5: Manual and governance-driven network halt

Node operators and community members investigated the activity, stacked manual pause commands, and cast Mimir governance votes. THORChain reported that trading, signing, chain observation, and churning were halted while response work continued.

Impact Assessment

The direct reported loss was approximately $10.7 million from a single THORChain vault. THORChain said the exploit affected one vault out of five, with the remaining four vaults unaffected.

The operational impact was broader than the drained vault because THORChain halted core network activity during containment. The project described halts to trading, signing, chain observation, and churning, which paused normal cross-chain operations while operators evaluated remaining risk.

THORChain stated that the SOL pool was safe because EdDSA-based chains were not vulnerable to the class of attack under investigation. The project also warned users about fraudulent refund, airdrop, or compensation websites after the incident.

Public sources do not confirm the identity of the operator, final recovery mechanism, or final root-cause analysis beyond THORChain’s reported GG20 vulnerability focus. Those items should remain unresolved until follow-up public statements or project governance records provide stronger evidence.

Attribution

Attribution is Unknown. THORChain linked the attack to a newly churned node operator and an address it associated with the stolen funds, but the cited public sources did not identify the person or organization operating that node.

The Crypto Times reported third-party on-chain analysis and described the attack as planned, but that public coverage did not provide a confirmed actor identity. No government attribution was available in the cited source set.

Timeline

2026-05-13 — Node churns into the active set

THORChain reported that a new node operator entered the active validator set and was assigned to one of the protocol’s vaults.

2026-05-15 — Targeted vault drained

The attacker signed and broadcast unauthorized outbound transactions from the targeted vault. THORChain later reported the loss at approximately $10.7 million.

2026-05-15 — Solvency checker triggers chain-level halts

After the outbound transactions, the reactive solvency checker detected an imbalance between expected and actual vault balances. Automatic controls halted signing and trading across several connected chains.

2026-05-15 — Operators stack manual pauses

Node operators investigated the incident and stacked manual pause commands to keep network activity halted during containment.

2026-05-15 — Mimir governance halts network functions

Operational Mimir votes activated broader halts affecting trading, signing, chain observation, and churning.

2026-05-20 — THORChain publishes exploit report

THORChain published Exploit Report #1, summarizing the incident, response timeline, suspected GG20 issue, patch status, and community-governance recovery path.

Remediation & Mitigation

THORChain’s immediate remediation focused on freezing further activity, preserving unaffected vaults, and preparing patch v3.18.1. The project asked node operators to follow official upgrade and operational instructions while the investigation continued.

For THORChain users, the safest public guidance in the reviewed sources was to rely on official project channels and avoid refund or airdrop claims. THORChain stated it had no active refund, airdrop, or compensation program at the time of its public notice.

For DeFi protocols using threshold-signature schemes, this incident highlights several defensive priorities:

Treat fresh validator entry and vault assignment as a high-risk period requiring close monitoring.
Monitor vault solvency independently and alert on balance mismatches within minutes.
Maintain emergency controls that can halt trading, signing, chain observation, and churn separately.
Review GG20 and related TSS implementations for key-material leakage risks.
Coordinate disclosure carefully when a cryptographic weakness may affect other projects.

Sources & References

THORChain: THORChain Exploit Report #1 — THORChain, 2026-05-20
THORChain: Status update on May 2026 exploit — THORChain, 2026-05-15
The Crypto Times: $10.8 Million Drained Inside the THORChain Exploit — The Crypto Times, 2026-05-17