← THORChain GG20 MPC Vault Exploit (May 2026)1 decision on this page
Audit log
Every state-changing event for THORChain GG20 MPC Vault Exploit (May 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.
- #1publishby system:backfill2026-06-29 23:04:38ZScore: ? → ? (no score change)anchoranchored
- chain
- ●mainnet-betaslot 429,759,148
- sig
4FCm1kGpUJAb…kceeBo6rexplorer ↗- hash
777mRnTfoHrK…4Vq2Q1GZsha256 → base58
verifying row…full verify ↗canonical bytes (25824 B) ▸
{"actor":"system:backfill","investigation_id":"4f885635-d130-4b30-975b-91055a2292bd","kind":"publish","page_slug":"thorchain-gg20-mpc-vault-exploit-may-2026","published_at":"2026-06-29T23:04:38.542Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"THORChain GG20 MPC Vault Exploit (May 2026)","sections":[{"content":"On May 15, 2026, THORChain — a decentralized cross-chain liquidity protocol — was exploited by a node operator who had joined the network only two days prior on May 13, 2026. The attacker operated under the node address thor16ucjv3v695mq283me7esh0wdhajjalengcn84q and bonded approximately 635,000 RUNE in collateral to gain validator status. By exploiting a vulnerability in the GG20 Threshold Signature Scheme (TSS) used to secure THORChain's Asgard vaults, the attacker reconstructed the private key for one of the network's vaults and executed unauthorized outbound transactions across at least nine blockchain networks. Approximately $10.7 to $11 million in assets were drained. TRM Labs confirmed funds were moved across Bitcoin, Ethereum, Binance Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. RUNE, THORChain's native token, declined approximately 12% in the hours following the attack.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"THORChain Exploit Report #1 — Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"}]},{"content":"The exploit targeted a fundamental weakness in THORChain's implementation of the GG20 (Gennaro-Goldfeder 2020) multi-party ECDSA threshold signature scheme. GG20 is a cryptographic protocol designed so that no single party ever holds a complete private key — key material is distributed across multiple validator nodes and only assembled ephemerally during a collective signing ceremony. The attacker exploited a 'progressive key material leakage' flaw in the GG20 implementation, by which partial cryptographic shards were incrementally exposed during routine signing ceremonies. Over a short observation window, the attacker accumulated sufficient leaked material to reconstruct the full private key for one Asgard vault. Academic research has documented 'key extraction' weaknesses in some MPC protocols where a malicious participant can extract bits of other parties' secret shares across multiple protocol rounds. The GG20 paper itself acknowledges that 'identifiable abort' variants are required to prevent such attacks; investigators were working to determine whether the exploit leveraged a documented GG20 weakness or a THORChain-specific implementation flaw. Once the full private key was reconstructed, the attacker bypassed the collective multi-party signing ceremony entirely and signed unauthorized outbound transactions unilaterally across at least nine blockchains simultaneously.","heading":"Technical Attack Vector: GG20 Key Material Leakage","severity":"critical","sources":[{"credibility":2,"name":"THORChain Hacked: How a Rogue Node Cracked Open a Cross-Chain Vault — SecureShift","type":"research","url":"https://secureshift.io/blog/thorchain-exploit-analysis"},{"credibility":1,"name":"THORChain Exploit Report #1 — Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":2,"name":"THORChain Publishes Exploit Report, Points to GG20 Flaw — CoinNewsSpan","type":"news_article","url":"https://www.coinnewsspan.com/thorchain-publishes-exploit-report-gg20-flaw/"}]},{"content":"According to TRM Labs on-chain analysis, the attacker drained assets from one of THORChain's Asgard vaults and consolidated proceeds into a two-address cluster before distributing across nine chains. Primary confirmed holdings included approximately 3,443 ETH valued at roughly $7.77 million, 36.85 BTC valued at roughly $2.97 million, and 96.6 BNB valued at approximately $66,000. Identified attacker wallet addresses include: Bitcoin address bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37; EVM primary address 0x82fc0d5150f3548027e971ec04c065f3c93154eb; EVM secondary address 0xd477b69551f49c0519f9b18c55030676138890bd; Bitcoin Cash address qpp775v2je9texcv54rhd6kl9pfudy2nyyz4df2uvc; Dogecoin address DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS; Litecoin address ltc1qg0h4rz5kf27fkr99gamw4heg20rfz5epd7m7wh; and XRP address rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz. The vault that was compromised held assets from approximately 20% of THORChain's active protocol-owned vault funds. User funds and liquidity provider positions in unaffected vaults remained intact. No specific threat actor attribution has been established as of the time of publication.","heading":"Stolen Assets and On-Chain Tracing","severity":"critical","sources":[{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"on_chain","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"}]},{"content":"THORChain's automated solvency detection system identified abnormal vault balances within minutes of the attack beginning, when losses surpassed the network's automated 1% imbalance threshold. This triggered automatic halts to trading and signing on Ethereum, Avalanche, BSC, Base, Dogecoin, and Cosmos chains within approximately 52 minutes, without human intervention. Node operators were alerted via Discord and coordinated a broader response, stacking manual 720-block pauses and casting formal Mimir governance votes requiring only a 3-node consensus threshold for operational parameters. A network-wide halt covering trading, signing, chain observation, and churning was achieved within approximately two hours of the community raising the alarm. A patch release, version 3.18.1, was deployed as an immediate precautionary measure to safeguard the remaining vaults while the full investigation proceeded. The on-chain blockchain itself continued to operate throughout the halt; only swapping and signing were suspended.","heading":"Emergency Response and Protocol Halt","severity":"high","sources":[{"credibility":1,"name":"THORChain Exploit Report #1 — Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"}]},{"content":"On May 22, 2026, THORChain opened an ADR-028 (Architecture Decision Record 028) governance vote for node operators to determine the official recovery framework. The proposal outlined a two-tiered loss absorption structure: protocol-owned liquidity (POL) reserves would be drawn down to zero first, absorbing as much of the shortfall as possible, with any remaining losses socialized among synthetic asset (synth) holders. The plan explicitly avoids minting new RUNE tokens to cover losses, instead relying on existing protocol reserves and redirecting a portion of future system income to gradually rebuild POL over time. Node operators who participated in routine operations and were unconnected to the attacker were to be exempted from penalties. A 10% bounty was publicly offered to incentivize the return of stolen funds. THORChain engaged Outrider Analytics and indicated coordination with law enforcement in the investigation. Subsequent software versions 3.18.1 and 3.19.1 incorporated security patches. The 11-step restart plan included third-party security audits, node infrastructure overhauls, keyshare verification across all nodes using a KeyVerify process, and migration away from legacy vault sets.","heading":"Recovery Plan: ADR-028 and Governance Vote","severity":"high","sources":[{"credibility":2,"name":"THORChain node operators vote on network restart plan after $10.7 million vault exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/thorchain-node-operators-vote-restart-plan/"},{"credibility":2,"name":"THORChain Opens ADR028 Vote as Community Charts Recovery Path — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"credibility":2,"name":"THORChain proposes recovery plan after May 15 exploit, no new RUNE minted — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-recovery-plan-exploit-rune/"},{"credibility":2,"name":"THORChain sets 11-step restart plan after $10.7M hack — Crypto.news","type":"news_article","url":"https://crypto.news/thorchain-sets-11-step-restart-plan-after-10-7m-hack/"}]},{"content":"The May 2026 exploit is the third major security incident in THORChain's history. In June and July 2021, THORChain suffered three separate attacks within a single summer. A June 29, 2021 'fake deposit' attack resulted in approximately $350,000 in losses. A July 16, 2021 Ethereum Router exploit drained approximately $8 million. A July 23, 2021 ETH Router exploit drained an additional approximately $8 million; SlowMist analyzed all three incidents and attributed them to logical flaws in the Bifrost interface that did not account for manipulation of smart contract events. In 2024 and early 2025, THORChain attracted further controversy related to its alleged facilitation of Lazarus Group fund flows, with the protocol temporarily halting Ethereum transactions in January 2025 at the request of node operators. With the May 2026 incident adding $10.7 to $11 million in losses, TRM Labs estimated cumulative losses across all THORChain security incidents since 2021 now approach $25 million.","heading":"Prior Security History and Cumulative Losses","severity":"high","sources":[{"credibility":2,"name":"SlowMist: Analysis of Three Consecutive Attacks on THORChain (2021) — Medium","type":"research","url":"https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be"},{"credibility":1,"name":"Post-mortem: ETH Router Exploits 1 & 2 — THORChain Medium","type":"official","url":"https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb"},{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"}]},{"content":"THORChain had identified the Doerner-Kondi-Lee-Shelat (DKLS) threshold signature scheme as its intended long-term replacement for GG20 prior to the May 2026 exploit. In November 2025, the protocol engaged Silence Laboratories to build a custom DKLS implementation incorporating 'identifiable abort' functionality — a security property that allows the protocol to identify and penalize a malicious participant who attempts to deviate from the protocol, rather than simply aborting. The targeted delivery window was Q1 or Q2 2026. The custom DKLS implementation was not yet complete when the exploit occurred on May 15, 2026. The exploit demonstrated that the GG20 implementation deployed at the time lacked sufficient protections against the 'key extraction' attack class. Community discussions following the exploit included proposals to accelerate the transition away from GG20 entirely toward a more robust cryptographic framework. THORChain also confirmed in the post-exploit period that native Monero (XMR) swaps were being added to its roadmap, alongside Zcash.","heading":"Cryptographic Infrastructure: GG20 and Planned Migration to DKLS","severity":"medium","sources":[{"credibility":2,"name":"THORChain Node Exploits GG20 Flaw, Draining $10.7M Vault — PulseChain Nexus","type":"news_article","url":"https://www.pulsechain.nexus/thorchain-node-exploits-gg20-flaw-draining-10-7m-vault/"},{"credibility":2,"name":"THORChain node operators vote on network restart plan — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/thorchain-node-operators-vote-restart-plan/"},{"credibility":2,"name":"THORChain exploit raises fresh concerns over MPC wallet security — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/thorchain-exploit-raises-fresh-concerns-over-mpc-wallet-security/"}]},{"content":"THORChain resumed full trading operations on June 23, 2026, after a 39-day shutdown. The restart followed an 11-stage reactivation process that included third-party security audits, comprehensive node infrastructure reviews, keyshare verification for all active nodes via a KeyVerify process, and migration away from legacy vault sets. Version 3.19.1 incorporated the ADR-028 loss-recovery mechanism and the GG20 security patches. At the time of restart, RUNE traded near $0.42, approximately flat with minimal price movement on restart day. THORChain indicated that Monero swap support was working end-to-end in testing and would be launched imminently following the restart, with Zcash swaps planned subsequently. The protocol absorbed the $10.7 million loss through protocol-owned liquidity reserves without minting new RUNE. Confidence in the protocol's longer-term security posture remained under community scrutiny pending delivery of the DKLS migration from Silence Laboratories.","heading":"Network Restart and Current Status","severity":"medium","sources":[{"credibility":2,"name":"THORChain Reopens 39 Days After $10.7M Exploit, Teases XMR & ZEC Swaps — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/23/thorchain-reopens-39-days-after-10-7m-exploit-teases-xmr-zec-swaps/"},{"credibility":2,"name":"THORChain resumes trading after five-week halt following $10.7M exploit — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-resumes-trading-after-exploit/"},{"credibility":2,"name":"THORChain Trading Resumes After Exploit Halt, But Confidence Test Remains — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/thorchain-trading-resumes-after-exploit-halt-but-confidence-test-remains/"}]},{"content":"The THORChain exploit drew attention from the broader cryptographic and blockchain security community regarding systemic risks in MPC-based custody systems. Academic literature has documented key-extraction weaknesses in GG20 and related multi-party ECDSA protocols where a malicious participant can progressively extract private key material from honest parties across multiple signing rounds. The GG20 academic paper recommends 'identifiable abort' variants as a mitigation, but not all production implementations include this feature. Security researchers noted that the attack class exploited at THORChain is applicable to any multi-party computation protocol lacking identifiable abort or equivalent adversarial-participant detection. The incident raised concerns among operators of other protocols using GG20-based MPC vaults. THORChain's case illustrated that even a properly designed threshold scheme can be vulnerable if an implementation does not include the full suite of security properties described in the academic specification.","heading":"Broader MPC Security Implications","severity":"medium","sources":[{"credibility":2,"name":"THORChain exploit raises fresh concerns over MPC wallet security — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/thorchain-exploit-raises-fresh-concerns-over-mpc-wallet-security/"},{"credibility":2,"name":"THORChain Hacked: How a Rogue Node Cracked Open a Cross-Chain Vault — SecureShift","type":"research","url":"https://secureshift.io/blog/thorchain-exploit-analysis"}]}],"sources_used":[{"credibility":1,"name":"THORChain Exploit Report #1 — Official Blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"THORChain Hacked: How a Rogue Node Cracked Open a Cross-Chain Vault — SecureShift","type":"research","url":"https://secureshift.io/blog/thorchain-exploit-analysis"},{"credibility":2,"name":"THORChain resumes trading after five-week halt following $10.7M exploit — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-resumes-trading-after-exploit/"},{"credibility":2,"name":"THORChain Publishes Exploit Report, Points to GG20 Flaw — CoinNewsSpan","type":"news_article","url":"https://www.coinnewsspan.com/thorchain-publishes-exploit-report-gg20-flaw/"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"credibility":2,"name":"THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"},{"credibility":2,"name":"THORChain node operators vote on network restart plan after $10.7 million vault exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/thorchain-node-operators-vote-restart-plan/"},{"credibility":2,"name":"THORChain Opens ADR028 Vote as Community Charts Recovery Path — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"credibility":2,"name":"THORChain proposes recovery plan after May 15 exploit, no new RUNE minted — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/thorchain-recovery-plan-exploit-rune/"},{"credibility":2,"name":"THORChain sets 11-step restart plan after $10.7M hack — Crypto.news","type":"news_article","url":"https://crypto.news/thorchain-sets-11-step-restart-plan-after-10-7m-hack/"},{"credibility":2,"name":"THORChain Reopens 39 Days After $10.7M Exploit, Teases XMR & ZEC Swaps — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/23/thorchain-reopens-39-days-after-10-7m-exploit-teases-xmr-zec-swaps/"},{"credibility":2,"name":"THORChain Trading Resumes After Exploit Halt, But Confidence Test Remains — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/thorchain-trading-resumes-after-exploit-halt-but-confidence-test-remains/"},{"credibility":2,"name":"THORChain exploit raises fresh concerns over MPC wallet security — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/thorchain-exploit-raises-fresh-concerns-over-mpc-wallet-security/"},{"credibility":2,"name":"THORChain Node Exploits GG20 Flaw, Draining $10.7M Vault — PulseChain Nexus","type":"news_article","url":"https://www.pulsechain.nexus/thorchain-node-exploits-gg20-flaw-draining-10-7m-vault/"},{"credibility":2,"name":"SlowMist: Analysis of Three Consecutive Attacks on THORChain — Medium","type":"research","url":"https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be"},{"credibility":1,"name":"THORChain Post-Mortem: ETH Router Exploits 1 & 2 — Medium","type":"official","url":"https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb"},{"credibility":2,"name":"THORChain Exploit Traced to Malicious Node and GG20 Key-Reconstruction Flaw — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/thorchain-exploit-traced-to-malicious-node-and-gg20-key-reconstruction-flaw/"},{"credibility":2,"name":"THORChain Halts Trading After $10.8M Exploit, Raises Concerns Over MPC Wallet Security — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/thorchain-halts-trading-after-10-8m-exploit-raises-concerns-over-mpc-wallet-security"}],"summary":"On May 15, 2026, THORChain suffered a targeted cryptographic exploit in which a malicious node operator reconstructed a full private key from a single Asgard vault by exploiting incremental key material leakage in the GG20 Threshold Signature Scheme, draining approximately $10.7 to $11 million across nine blockchain networks. The protocol executed an automated and community-coordinated emergency halt, published a formal exploit report on May 21, 2026, and resumed trading on June 23, 2026, after a 39-day shutdown and an 11-stage security overhaul. The incident is the third major security breach in THORChain's history and exposed systemic risks in GG20-based MPC implementations.","timeline":[{"date":"2021-06-29","event":"THORChain suffers first major exploit via fake deposit attack; approximately $350,000 lost.","source":"SlowMist Analysis — Medium","source_url":"https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be"},{"date":"2021-07-16","event":"THORChain ETH Router exploit #1 drains approximately $8 million.","source":"THORChain Post-Mortem — Medium","source_url":"https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb"},{"date":"2021-07-23","event":"THORChain ETH Router exploit #2 drains approximately $8 million; third incident in one summer.","source":"THORChain Post-Mortem — Medium","source_url":"https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb"},{"date":"2025-11-01","event":"THORChain engages Silence Laboratories to develop a custom DKLS threshold signature implementation to replace GG20, targeting Q1/Q2 2026 delivery.","source":"Cryptopolitan — THORChain node operators vote on network restart plan","source_url":"https://www.cryptopolitan.com/thorchain-node-operators-vote-restart-plan/"},{"date":"2026-05-13","event":"Malicious node operator (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) joins THORChain network with approximately 635,000 RUNE bonded collateral.","source":"THORChain Exploit Report #1","source_url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"date":"2026-05-15","event":"Exploit executed: attacker reconstructs full private key for one Asgard vault using GG20 key material leakage and drains approximately $10.7 to $11 million across at least nine blockchains.","source":"CoinDesk — Thorchain halts trading after $10 million cross-chain exploit","source_url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"date":"2026-05-15","event":"Automated solvency checker triggers within 52 minutes of exploit onset, halting signing and trading on Ethereum, Avalanche, BSC, Base, Dogecoin, and Cosmos chains. RUNE declines approximately 12%.","source":"THORChain Exploit Report #1","source_url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"date":"2026-05-15","event":"Node operators coordinate on Discord to issue manual pauses and Mimir governance votes; network-wide halt across trading, signing, chain observation, and churning achieved within approximately two hours.","source":"THORChain Exploit Report #1","source_url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"date":"2026-05-15","event":"Emergency patch v3.18.1 released to safeguard remaining vaults.","source":"CryptoBriefing — THORChain resumes trading after five-week halt","source_url":"https://cryptobriefing.com/thorchain-resumes-trading-after-exploit/"},{"date":"2026-05-21","event":"THORChain publishes Exploit Report #1, detailing the full incident timeline, GG20 vulnerability, and governance recovery pathway via ADR-028.","source":"THORChain Exploit Report #1","source_url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"date":"2026-05-22","event":"ADR-028 governance vote opened to node operators, proposing loss absorption through protocol-owned liquidity and a 10% bounty for fund return.","source":"BanklessTimes — THORChain Opens ADR028 Vote","source_url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"date":"2026-06-23","event":"THORChain resumes full trading after 39-day shutdown, completing an 11-stage reactivation process including security audits, vault migration, and node keyshare verification. RUNE trades near $0.42.","source":"CryptoTimes — THORChain Reopens 39 Days After $10.7M Exploit","source_url":"https://www.cryptotimes.io/2026/06/23/thorchain-reopens-39-days-after-10-7m-exploit-teases-xmr-zec-swaps/"}]},"v":1}Verify offline (run on your own machine)python -m src.verify_decision 603c8be1-1640-4322-abde-f0f3fb6875c5
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine —
python -m src.verify_decision <event_id>.