Particle.news

THORChain Resumes Trading After $10.7M GG20 Exploit

After five weeks of vault verification and software upgrades, the protocol must decide whether to replace the GG20 threshold‑signature system to prevent future key‑leak attacks.

Overview

  • A malicious node operator reconstructed a vault private key and stole about $10.7 million from one Asgard vault on May 15, forcing an automated multi‑chain halt when on‑chain solvency checks flagged the imbalance.
  • The network detected the theft within minutes and paused signing, churning and trading to limit losses while validators coordinated recovery actions.
  • Over five weeks the team verified every vault and keyshare, migrated legacy vaults to a new vault set and deployed v3.18.x and v3.19.x upgrades that add compromised‑vault quarantine, keyshare checks and ADR028 recovery logic.
  • THORChain covered the $10.7 million shortfall using protocol‑owned liquidity instead of minting new RUNE, and trading was restarted Tuesday after validators approved the upgrades; RUNE showed only modest price movement on the restart day.
  • Native Monero swaps advanced to end‑to‑end testing and Zcash support is planned, while the community debates moving off GG20 TSS and tightening node onboarding and governance to reduce replay risks for users and liquidity providers.