THORChain’s $10M Exploit Caused by MPC Vulnerability, Private Key Leak

THORChain said a malicious node operator exploited a vulnerability in its GG20 threshold signature system to drain about $10.7 million from one of the protocol’s vaults.

The GG20 threshold signature scheme is used to secure THORChain vaults by splitting key control across multiple node operators, meaning no single node normally holds the full private key.

The vulnerability allowed the malicious node operator to reconstruct a full private key for one vault, through “progressive key material leakage,” the protocol said in a post-mortem report released on Wednesday.

THORChain said its automatic solvency checks triggered within minutes and halted signing and trading across multiple chains without human intervention. Node operators subsequently coordinated via Discord for a full network halt within two hours after and deployed a patch to fix the vulnerability.

The post-mortem report shows that the protocol’s automatic solvency checks functioned and stopped the exploiter from draining more funds. The report comes a week after blockchain investigator ZachXBT first flagged the $10 million exploit, shortly before THORChain announced a halt to all trading and signing.

The incident adds to a resurgence in crypto exploits, which stole more than $634 million in April, according to DefiLlama data.

Timeline of the $10 million THORChain exploit. Source: THORChain

THORChain weighs recovery path without RUNE sales

THORChain said Friday that the post-exploit recovery path will be determined by a community consensus and published governance proposal ADR-028, with votes currently open for node operators.

The proposal would have THORChain absorb losses first through protocol-owned liquidity and spread the remainder across synth holders. It would deplete protocol-owned liquidity but redirect a portion of protocol income to replenish it over time, without minting or selling THORChain (RUNE) tokens.

ADR-028 community proposal for recovery after $10 million exploit. Source: Gitlab

THORChain also offered a recovery bounty for the return of the stolen funds and said it would slash the attacker’s malicious node while protecting innocent nodes that were placed in the same vault as the exploiter.

Related: Polymarket team says user funds safe as exploit losses climb above $600K

ADR-028 proposes keeping the existing GG20 TSS framework in a patched and upgraded version and said it will resume trading only after the vulnerability is fixed, drawing mixed reactions from crypto industry watchers.

Pseudonymous crypto project analyst Bird said the initial vulnerability suggests that the GG20 TSS signing stack has a “flaw in randomness generation or local signing isolation,” but praised THORChain’s auto-safeguard for limiting the damage done by the exploit.

Other industry watchers were more critical of the decision. “My mental model is that GG20 has many brittle assumptions. You can keep patching it, but it will forever be a bit of a black box,” wrote crypto investor JP in a Wednesday X post.

RUNE/USD, 1-week chart. Source: CoinMarketCap

The RUNE token’s price fell 15.5% in the week following the exploit, but staged a 4% recovery in the 24 hours leading up to 11:00 a.m. UTC on Friday, CoinMarketCap data shows.

Magazine: The legal battle over who can claim DeFi’s stolen millions