Skip to main content
Sign in

THORChain GG20 MPC Vault Exploit (May 2026)

avoid.net/thorchain-gg20-mpc-vault-exploit-may-202638/100·87% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·4FCm1k…Bo6r

Summary

On May 15, 2026, THORChain suffered a targeted cryptographic exploit in which a malicious node operator reconstructed a full private key from a single Asgard vault by exploiting incremental key material leakage in the GG20 Threshold Signature Scheme, draining approximately $10.7 to $11 million across nine blockchain networks. The protocol executed an automated and community-coordinated emergency halt, published a formal exploit report on May 21, 2026, and resumed trading on June 23, 2026, after a 39-day shutdown and an 11-stage security overhaul. The incident is the third major security breach in THORChain's history and exposed systemic risks in GG20-based MPC implementations.

Connected Entities

3 entities · 10 linked investigations
Wallets
DBLJWF…FCjSrwoGBr…bFBz
Organizations
THORChain GG20 MPC Vault Exploit (May 2026)
Relationships
  • DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjSmentioned withTHORChain GG20 MPC Vault Exploit (May 2026)(50%)
  • rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBzmentioned withTHORChain GG20 MPC Vault Exploit (May 2026)(50%)
  • + 1 more
Have evidence about THORChain GG20 MPC Vault Exploit (May 2026)?

Timeline(12 events)

2021-06-29

THORChain suffers first major exploit via fake deposit attack; approximately $350,000 lost.

SlowMist Analysis — Medium

2021-07-16

THORChain ETH Router exploit #1 drains approximately $8 million.

THORChain Post-Mortem — Medium

2021-07-23

THORChain ETH Router exploit #2 drains approximately $8 million; third incident in one summer.

THORChain Post-Mortem — Medium

2025-11-01

THORChain engages Silence Laboratories to develop a custom DKLS threshold signature implementation to replace GG20, targeting Q1/Q2 2026 delivery.

Cryptopolitan — THORChain node operators vote on network restart plan

2026-05-13

Malicious node operator (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) joins THORChain network with approximately 635,000 RUNE bonded collateral.

THORChain Exploit Report #1

2026-05-15

Exploit executed: attacker reconstructs full private key for one Asgard vault using GG20 key material leakage and drains approximately $10.7 to $11 million across at least nine blockchains.

CoinDesk — Thorchain halts trading after $10 million cross-chain exploit

2026-05-15

Automated solvency checker triggers within 52 minutes of exploit onset, halting signing and trading on Ethereum, Avalanche, BSC, Base, Dogecoin, and Cosmos chains. RUNE declines approximately 12%.

THORChain Exploit Report #1

2026-05-15

Node operators coordinate on Discord to issue manual pauses and Mimir governance votes; network-wide halt across trading, signing, chain observation, and churning achieved within approximately two hours.

THORChain Exploit Report #1

2026-05-15

Emergency patch v3.18.1 released to safeguard remaining vaults.

CryptoBriefing — THORChain resumes trading after five-week halt

2026-05-21

THORChain publishes Exploit Report #1, detailing the full incident timeline, GG20 vulnerability, and governance recovery pathway via ADR-028.

THORChain Exploit Report #1

2026-05-22

ADR-028 governance vote opened to node operators, proposing loss absorption through protocol-owned liquidity and a 10% bounty for fund return.

BanklessTimes — THORChain Opens ADR028 Vote

2026-06-23

THORChain resumes full trading after 39-day shutdown, completing an 11-stage reactivation process including security audits, vault migration, and node keyshare verification. RUNE trades near $0.42.

CryptoTimes — THORChain Reopens 39 Days After $10.7M Exploit
Provenance & Audit Trail

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

model: claude-sonnet-4-6

generated: 6/29/2026, 11:04:27 PM

last updated: 6/29/2026, 11:04:38 PM

avoid.net — verified advice for a post-truth world