A rogue node operator drained $10.7M from THORChain on May 15 via a GG20 vulnerability. Here is the full timeline, the security response, and what comes next.
Someone joined THORChain’s developer Discord on May 1 under the handle Dinosauruss. The account was fresh. The questions were specific — how to get a node churned into the network, and how quickly. The normal three-day churn interval was already delayed for unrelated reasons, which meant waiting.
According to the THORChain Exploit Report #1, published May 20, the attacker’s node address (n84q) finally entered the active validator set on May 13. Around 635,000 RUNE across two bond addresses. Randomly assigned to one of five vaults, like any other operator.
The Node That Got In and Never Left
For two days, the node participated in routine GG20 signing ceremonies. Nothing appeared irregular. GG20, or Gennaro-Goldfeder 2020, is the threshold signature scheme THORChain uses to distribute vault key control across independent operators. No single node ever holds the full private key — under normal conditions.
The flaw changed that. Through progressive key material leakage across multiple signing rounds, the attacker reportedly reconstructed the vault’s full private key. When the reconstruction was complete, outbound transactions were signed and broadcast directly, outside the GG20 ceremony entirely.
The reactive solvency checker caught the divergence within minutes. It detected that the expected balance exceeded the actual on-chain balance by more than 1% across multiple chains, triggering automatic halts on ETH, AVAX, BSC, BASE, DOGE, and GAIA with no human involved. The funds, roughly $10M at first estimate, had already moved.
Discord Lit Up Before the Official Response Did
As network activity stalled, a community member flagged unusual transactions: multiple sends from the TC router to an Ethereum address carrying no memo. That post became the first human-initiated alarm. ZachXBT, on X, warned the community that THORChain may have lost over $10M across Bitcoin, Ethereum, BSC, and Base.
Node xuuu was first to place a manual 720-block pause. Others stacked more pauses in rapid succession. The THORChain governance system is designed for exactly this: a single node cannot lock the network indefinitely, but multiple independent nodes acting fast can sustain a halt long enough to investigate. On May 15, roughly 18 to 20 nodes stacked pauses simultaneously.
Formal Mimir governance votes followed over Discord. The three-vote threshold for operational parameters was met. HALTTRADING activated at block 26183438. HALTSIGNING at block 26183439. HALTCHAINGLOBAL at block 26183590. HALTCHURNING at block 26183849 — that last one specifically to prevent the malicious node from exiting the network.
The entire network was locked down within approximately two hours of the community raising the alarm.
What the Investigation Found, and What It Withheld
The development team’s first public statement came at 11:01 on May 15, estimating losses at $7.4M and listing three vectors under investigation: a GG20 vulnerability, infrastructure compromise, and others. Node operators were asked to audit infrastructure and submit Bifrost logs.
By 19:10 that same day, the picture was clearer. On-chain forensics linked the malicious node address thor16ucjv3v695mq283me7esh0wdhajjalengcn84q to the Ethereum addresses that received the stolen funds. The revised loss figure came in at approximately $10.7M. Coordination with Outrider Analytics and law enforcement was already underway, according to the official report.
The DeFi security landscape in 2026 had already seen $620M in losses through April alone. THORChain’s incident added further weight to concerns around cryptographic layer vulnerabilities in cross-chain infrastructure.
Patch Released, Recovery Still Open
On May 16, the marketing team issued a scam warning. Fake airdrop and refund schemes were already spreading across social media. THORChain confirmed it has no active refund or airdrop program.
By May 18, patch v3.18.1 was imminent. The dev team said it had a strong understanding of the attack but would withhold technical specifics until other projects using the same GG20 implementation could be quietly alerted and patch their own systems. All node operators were asked to scale down Bifrost pods ahead of the release.
The full recovery path falls to community governance. ADR-028, the Architecture Decision Record currently open for discussion, will determine how the lost funds are handled. Options under debate include bond slashing and protocol-owned liquidity absorption. The chosen approach is expected to be implemented in v3.19.
THORChain had already identified DKLS, a more modern threshold signature scheme, as its long-term cryptographic target. Silence Labs was engaged in November 2025 to build a custom DKLS implementation with identifiable aborts. Targeted delivery was Q1/Q2 2026. GG20 stayed in production in the meantime. The attacker arrived in May.
