Overview
- THORChain resumed trading on June 23 after a five-week halt that began when a May 15 exploit emptied about $10.7 million from one of six Asgard vaults.
- The attack exploited a flaw in the GG20 threshold signature scheme where a newly joined malicious node leaked key material during signing ceremonies and reconstructed a vault private key.
- Automated solvency monitors detected the imbalance within minutes and halted signing, trading, and node churn to limit the loss while developers deployed emergency patches and upgrades.
- Recovery work included a May 20 emergency patch, a June 9 upgrade that fixed the signing weakness, June 11 KeyVerify stability fixes, full keyshare verification, a vault migration and validator-approved v3.19.x before services returned.
- THORChain absorbed the $10.7 million hit from protocol-owned liquidity rather than minting new RUNE, has end-to-end Monero testing under way and plans Zcash support soon as the community debates replacing GG20 and tightening node onboarding.