THORChain $10.7M GG20 TSS Exploit (Explained)

THORChain lost $10.7M across 10 chains when a malicious node exploited a years-unpatched GG20 TSS flaw to reconstruct the vault private key. Here is how it happened.

QuillAudits Team

•May 26, 2026

THORChain $10.7M GG20 TSS Exploit (Explained)

$10.7M drained from THORChain's Asgard vault across 10 chains in minutes. See how one malicious node operator reconstructed a vault private key using a years-unpatched GG20 TSS vulnerability.

On May 15, 2026, a single malicious node churned into THORChain's validator set, spent two days in routine signing ceremonies, and reconstructed the vault's full private key from leaked cryptographic material. No flashloan, no bridge exploit. Just a GG20 library three years behind on security releases, missing the proof checks that would have made leakage impossible. The vulnerability class was public knowledge since 2023. The library hadn't been audited since before that. Three weeks of preparation. Minutes to drain.

What Is TSS and How Does THORChain's Vault System Work?

THORChain is a cross-chain decentralized exchange that enables native asset swaps across Bitcoin, Ethereum, and 20+ other blockchains without wrapping. Its security model depends entirely on a construct called Threshold Signature Scheme, or TSS.

In TSS, a set of validator nodes jointly control vault addresses across every supported chain. No single node ever holds a complete private key. Instead, they hold key shares, and a quorum must participate together in a signing ceremony to authorize any outbound transaction. The most common TSS implementation for chains that use ECDSA signatures, which includes Bitcoin and Ethereum, is GG20.

THORChain runs a custom fork of Binance's tss-lib implementing GG20, integrated into every node via the Bifrost bridge layer. When a user initiates a swap, Bifrost observes the inbound transaction and coordinates a signing ceremony among the active vault nodes. The vault signs the outbound transaction only when quorum is reached. Vault composition rotates through a churn mechanism every three days, with new nodes entering the active validator set and old ones exiting.

The security guarantee rests on two assumptions: that no single node can reconstruct the full key, and that the GG20 implementation correctly prevents key material from leaking during signing ceremonies. On May 15, 2026, both assumptions failed simultaneously.

Hack Analysis

The attacker funded the operation through Monero for privacy, then bonded ~635,000 RUNE across two addresses to qualify as a node operator. 8 ETH was delivered to the final receiving wallet just 43 minutes before the drain.

Screenshot 2026-05-25 at 7.09.33 PM.png Screenshot 2026-05-25 at 7.11.05 PM.png

A Discord handle, Dinosauruss, joined the THORChain Developer Discord, asking how to get a node churned into the network quickly. The churn interval was delayed at the time, forcing the attacker to wait.

Screenshot 2026-05-25 at 7.07.17 PM.png

The malicious node (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) churned into the active validator set and was randomly assigned to one of the five Asgard vaults.

Screenshot 2026-05-25 at 7.00.04 PM.png

THORChain's GG20 fork (tss-lib v0.1.6, thornode v3.18.0) skipped the MOD/FAC proof checks that validate Paillier key formation. The attacker registered a malformed Paillier modulus with attacker-known factors. Over two days of routine signing ceremonies, each signing round leaked residues of honest participants' long-term key shares. The attacker accumulated these offline.

Screenshot 2026-05-26 at 10.17.01 AM.png

With enough leaked material, the attacker reconstructed the vault's complete TSS private key without triggering any signing ceremony, bypassing both the proactive and reactive solvency checkers entirely.

Using the reconstructed key, the attacker signed unauthorized outbound transactions across all 10 chains the vault held. Every ERC-20 on Ethereum, BNB Chain, and Base was swept. Bitcoin moved in parallel.

THORChain's solvency checker detected the shortfall at block 26190429 and halted the network autonomously. The pause ran for 12 hours and 42 minutes. No human authorization required.

Root Cause

The root cause is a missing Paillier modulus soundness check in THORChain's deployed GG20 fork. By omitting the MOD/FAC proof family during key generation, the library permitted a malicious participant to register a structurally malformed Paillier key. This enabled a systematic, per-round leakage of honest participants long-term signing shares, eventually allowing full private key reconstruction by a single patient operator.

The vulnerability class is not novel. CVE-2023-33241 and TSSHOCK, both disclosed in 2023, describe key extraction attacks against GG20 requiring exactly one compromised co-signer and leaving no trace in normal protocol operation. The specific mechanism used against THORChain has not been publicly confirmed to match either CVE precisely, but both illustrate the class of attack that GG20 without proper proof verification is vulnerable to.

Funds Flow After Attack

Using the reconstructed vault private key, the attacker directly signed unauthorized outbound transactions from one of THORChain's Asgard vaults across ten chains simultaneously. All funds were pulled straight from the vault to attacker-controlled addresses, no intermediary contracts, no flash loans, no DEX routing. The table below reflects the direct on-chain extraction per chain.

Chain	Assets Extracted	Approx. Value
Ethereum	USDT, USDC, WBTC, XRUNE, THOR, LINK, AAVE, SNX, DAI, FOX, YFI, DPI, LUSD, GUSD, USDP	$5.20M
Bitcoin	36.85 BTC + 3.87 BTC	$3.26M
Dogecoin	3,911,749.91 DOGE + 3,911,751.03 DOGE	$580K
BNB Chain	USDC, BSC-USD, BUSD, TWT, ETH, BTCB	$450K
Litecoin	6,866.74 LTC	$580K
Avalanche	USDC, USDT, SOL	$280K
Bitcoin Cash	638.52 BCH	$150K
Base	55,912.41 USDC	$56K
XRP	25,404.92 XRP + 16.99 XRP	$50K
TRON	89,172 TRX → swapped to USDT via SunSwap → bridged to ETH	$14K

Screenshot 2026-05-25 at 6.55.22 PM.png Screenshot 2026-05-25 at 6.56.49 PM.png Screenshot 2026-05-25 at 7.03.25 PM.png

No individual user swap funds were affected. All losses came from protocol-owned vault balances. Node operators securing the compromised vault had their bonded RUNE slashed as a direct consequence of the unauthorized outbound transactions.

Post-Attack Mitigation

THORChain confirmed a newly churned node linked to on-chain evidence was the likely attacker. The leading theory: a GG20 TSS exploit allowing vault key material to leak over time. Trading, signing, LP actions, and sensitive operations all halted.

THORChain warned the community that fake accounts were circulating false claims of refunds, airdrops, and compensation programs. The team clarified: no such program exists, and initial findings indicate no user funds were lost. Investigation continuing alongside THORSec and external security partners.

Technical details were withheld while the team assessed whether other GG20 implementations could be at risk, with coordinated disclosure planned. thornode v3.18.1 was scheduled for the next day, all node operators were asked to upgrade immediately. The community governance channel #adr-028-tss-exploit-recovery was opened on Discord. The team indicated a preference to remain on GG20 short-term to restore stability, with longer-term cryptographic decisions deferred.

THORChain published ADR-028 and opened a node operator vote. Protocol-Owned Liquidity absorbs the loss first, the remainder is spread across synth holders. No new RUNE minted, no RUNE sold, no dilution. GG20 kept in place, patched, with trading resuming only after a successful churn on the patched version. The attacker's node slashed in full, innocent nodes in the same vault were protected. A white hat bounty offered, partial fund return rolls back the recovery plan proportionally. Full ADR-028: https://gitlab.com/-/snippets/5992927

THORChain published its first formal exploit report confirming GG20 TSS as the root cause. Full technical details of the specific implementation flaw were withheld, the team stated they are not yet in a position to publicly discuss them. A follow-up report will be issued once the investigation is complete and the recovery plan finalized.

https://thorchain.org/blog/thorchain-exploit-report-1

Relevant Address and Transactions

Attacker Wallets:

ETH/BNB/Base: 0x82fc0d5150f3548027e971ec04c065f3c93154eb
Bitcoin: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
Avalanche/Base: 0xd477b69551f49C0519F9B18c55030676138890Bd
Dogecoin: DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS
Litecoin: ltc1qg0h4rz5kf27fkr99gamw4heg20rfz5epd7m7wh
Bitcoin Cash: qpp775v2je9texcv54rhd6kl9pfudy2nyyz4df2uvc
XRP: rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz
TRON: TXmo5sdVCvQnJgbvjAUpQJfyNx5EnqtAM3

ThroChain Vaults:

ETH/Base/BNB/Avalanche: 0x82a5CF67F3e6970C0529122178075C0a94878bDA
Bitcoin: bc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvm7zhyv
Dogecoin: DDL3tEh5P5vjSCNyU7t7sz9DQykRnr97d2
Litecoin: ltc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvlzcnuu
Bitcoin Cash: qpvaxhtcpkc8038ape3p3nuvlgd7makwds74qyng5p
XRP: r9BxLykSngpSuUU4jXtZLDycXip3Suo7Rf
TRON: TMt1UgzBNKETQMgGckJDomcMQhvwhGUiXo

Affected Vault:

thor1t8f467qdkpmuflgwvgvvlr86r0kldnnvtr9847

Rogue node:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

Conclusion

One patient operator, three weeks of preparation, and a cryptographic library years out of date. THORChain's GG20 fork lacked the proof checks that would have made the key leakage impossible, and its churn mechanism gave the attacker exactly the access needed to exploit it. The network halted itself correctly. The vault did not hold. With ADR-028 under vote, a patch shipped, and a longer-term migration to DKLS and FROST on the roadmap, the path forward is defined.

Contents

Tell Us About Your Project

Subscribe to Newsletter