THORChain Exploit Linked to Malicious Node and GG20 Flaw A recent $10.7 million exploit on the THORChain decentralized cross-chain liquidity protocol has been traced back to a critical vulnerability in the GG20 threshold signature scheme. According to security researchers, the attack was executed by a malicious node operator who exploited a flaw in the GG20 protocol to reconstruct a full private key controlling one of THORChain’s vaults. The GG20 vulnerability allowed the hostile node to bypass the usual multi-party computation safeguards. In a standard THORChain setup, multiple nodes must cooperate to sign transactions, preventing any single node from accessing the full key. However, the malicious node was able to leverage the flaw to derive the complete private key, then drain the vault of its assets. The exploit netted the attacker approximately $10.7 million in various cryptocurrencies. THORChain paused operations soon after detecting the breach and has since implemented a fix for the GG20 issue. The team also initiated a review of all vaults and node operators to ensure no other backdoors exist. This incident highlights the ongoing risks in decentralized finance, particularly for protocols relying on complex cryptographic systems. While THORChain has resumed normal operations, the event serves as a stark reminder that even advanced security measures can be undermined by subtle implementation bugs. The community is now calling for more rigorous audits and real-time monitoring of threshold signature processes to prevent similar attacks in the future.
