THORChain resumed operations after more than a month of security reviews following a $10.7 million exploit on May 15. The decentralized cross-chain liquidity network restored trading, swaps, transaction signing, and liquidity provider functions after deploying security upgrades, verifying node keyshares, and migrating assets to a new vault architecture. The exploit stemmed from a vulnerability in THORChain's GG20 threshold signature scheme that allowed a malicious node operator to reconstruct a private key and access protocol funds.
THORChain Addresses GG20 Vulnerability and Deploys Emergency Patches
The exploit was traced to a vulnerability within THORChain's GG20 threshold signature scheme, a security mechanism designed to protect protocol vaults by distributing key control among multiple node operators. According to the development team, the flaw allowed a malicious node operator to gradually reconstruct a complete private key through a process described as progressive key material leakage, ultimately enabling unauthorized access to protocol funds and theft of approximately $10.7 million.
THORChain immediately suspended operations and deployed an emergency patch on May 20 to safeguard active vaults and prevent further losses. The protocol released a major software upgrade on June 9 that addressed the exploited vulnerability and strengthened the network's overall security framework. A subsequent update on June 11 introduced stability improvements and enhancements to the KeyVerify protocol.
Protocol Completes Vault Migration and KeyVerify Process
THORChain completed verification of every node's keyshare and confirmed the safety of most protocol vaults through the KeyVerify system. The network retired its remaining legacy vaults and migrated assets to a new vault architecture as part of the recovery process.
THORChain is one of the crypto industry's largest cross-chain trading protocols, allowing users to swap assets across multiple blockchain ecosystems, including Bitcoin and Ethereum, without relying on centralized intermediaries. The protocol has attracted attention from blockchain investigators because cybercriminals have previously used its cross-chain infrastructure to move and exchange stolen digital assets.
THORChain Announces Zcash, Monero, and TAO Integration Timeline
The protocol revealed plans to introduce native swaps and vault support for privacy-focused cryptocurrency Zcash (ZEC) in the next two weeks. Support for Monero (XMR), another privacy-centric digital asset, is expected to follow shortly afterward. THORChain plans to integrate Bittensor's TAO token approximately six weeks after the network restart, to expand the range of assets available in its decentralized liquidity ecosystem.
FAQ
What caused the $10.7 million THORChain exploit on May 15?
The exploit was caused by a vulnerability in THORChain's GG20 threshold signature scheme that allowed a malicious node operator to gradually reconstruct a complete private key through progressive key material leakage, enabling unauthorized access to protocol funds.
When did THORChain deploy security upgrades after the exploit?
THORChain deployed an emergency patch on May 20, released a major software upgrade on June 9, and introduced a subsequent stability update on June 11 to address the vulnerability and strengthen the network's security framework.
What new assets will THORChain support after resuming operations?
THORChain plans to introduce native swaps and vault support for Zcash (ZEC) in the next two weeks, followed by Monero (XMR) shortly afterward, and Bittensor's TAO token approximately six weeks after the network restart.
