THORChain confirmed that a malicious node operator successfully exploited a critical vulnerability within its GG20 threshold signature system, resulting in the drainage of approximately $10.7 million from a single protocol vault. The GG20 scheme is designed to secure vaults by distributing key control across multiple operators, ensuring no single entity possesses the complete private key.

However, the attacker utilized a mechanism described as progressive key material leakage to reconstruct a full private key for the targeted vault. Data compiled by Woofun AI indicates that this specific breach represents a significant deviation from the intended security architecture of the threshold signature scheme.

Upon detection, the protocol's automatic solvency checks triggered within minutes, effectively halting all signing and trading activities across multiple chains without requiring human intervention. This rapid automated response prevented further capital outflow and contained the immediate damage. Following the initial freeze, node operators coordinated via Discord to execute a full network halt within two hours and subsequently deployed a patch to address the underlying vulnerability. Monitored by Woofun AI, the sequence of events highlights the efficacy of the protocol's pre-programmed safety mechanisms in mitigating large-scale financial loss during active exploitation.

The incident was first flagged by blockchain investigator ZachXBT roughly a week prior to the official announcement, shortly before THORChain initiated the trading halt. This event contributes to a broader resurgence in cryptocurrency exploits, with industry data showing that over $634 million was stolen in April alone. The post-mortem report released on Wednesday confirms that the automatic solvency checks functioned as designed, stopping the exploiter from draining additional funds beyond the initial $10.7 million breach.

Addressing the financial aftermath, THORChain announced on Friday that the recovery path will be determined through community consensus and a published governance proposal, ADR-028, with voting currently open for node operators. The proposal outlines a strategy where THORChain absorbs initial losses using protocol-owned liquidity, with the remainder spread across synth holders. This approach aims to deplete existing protocol-owned liquidity while redirecting a portion of future protocol income to replenish reserves, explicitly avoiding the minting or selling of RUNE tokens.

In addition to the governance proposal, the protocol offered a recovery bounty for the return of stolen funds and confirmed it would slash the attacker's malicious node while protecting innocent nodes that were co-located in the same vault. Pseudonymous crypto project analyst Bird noted that the initial vulnerability suggests a flaw in randomness generation or local signing isolation within the GG20 TSS signing stack, though the analyst praised the auto-safeguard for limiting the total damage. Woofun AI notes that while the technical failure was severe, the operational response demonstrated a robust defense-in-depth strategy.

Conversely, other industry observers expressed skepticism regarding the long-term viability of the current architecture. Crypto investor JP argued on X that GG20 relies on many brittle assumptions, suggesting that while patches can be applied, the system will remain a black box prone to future failures. The market reaction reflected this uncertainty, with the RUNE token price falling 15.5% in the week following the exploit.

However, CoinMarketCap data shows the token staged a 4% recovery in the 24 hours leading up to 11:00 a.m. UTC on Friday, indicating a tentative stabilization as the community navigates the proposed recovery framework.