New Node Operator Waited Two Weeks, Then Drained $10.7M From THORChain via GG20 Flaw
A previously unknown node operator on the THORChain network executed a carefully planned exploit on May 15, siphoning $10.7 million in crypto assets by exploiting a vulnerability in the GG20 threshold signature scheme. The attack, which was two weeks in the making, has raised urgent questions about the security of cross-chain liquidity protocols and the trust assumptions underlying decentralized finance.
Timeline of the Attack: From Discord to Drain
The operator, using the handle ‘Dinosauruss,’ joined THORChain’s developer Discord on May 1. The account was newly created, but the questions were pointed and technical — specifically about how to get a node churned into the network’s active set. Over the following two weeks, the operator successfully onboarded a node, waited for it to become active, and then exploited a known but unresolved vulnerability in the GG20 protocol used for threshold signature generation.
The GG20 flaw, which had been previously documented in academic circles, allows a malicious participant in a multi-party computation to extract the group’s private key share by manipulating the signing process. In THORChain’s case, this meant the rogue node could forge signatures and initiate unauthorized withdrawals from the network’s pools.
How the Exploit Worked
THORChain relies on a network of nodes that collectively manage private keys using threshold signatures. Under normal operation, a subset of nodes must sign off on any transaction. The GG20 vulnerability, however, allows a single malicious node to craft a signature that appears valid to the rest of the network, effectively bypassing the security threshold.
Also read: Bitcoin Liquidity Clusters Near $78K Signal Potential Move as BTC Holds at $77,300
The attacker exploited this by initiating a series of legitimate-looking swap requests. Each request triggered a signing ceremony, during which the malicious node manipulated its share of the computation. Over the course of several hours, the attacker drained approximately $10.7 million in various assets, including Bitcoin, Ether, and stablecoins, before the network paused operations.
Immediate Response and Network Pause
THORChain validators detected anomalous activity shortly after the exploit began and voted to pause the network. The team confirmed the incident publicly within hours, stating that the vulnerability was in the GG20 implementation and that a fix was being deployed. The network remained paused for approximately 48 hours while nodes were updated to a patched version of the software.
Notably, the THORChain team had been aware of the GG20 vulnerability in theory but had not implemented mitigations at the protocol level. The attack exploited a known attack vector that had been discussed in cryptographic research papers since 2020.
What This Means for Cross-Chain DeFi
The exploit highlights a fundamental tension in cross-chain protocols: the need for speed and low fees versus the complexity of secure multi-party computation. THORChain’s design allows for native, non-custodial swaps between blockchains, but the reliance on threshold signatures introduces a single point of cryptographic failure if any node is compromised.
Security experts have noted that while the GG20 vulnerability is not new, its practical exploitation in a live, high-value network is a significant escalation. Other protocols using similar threshold signature schemes — including some implementations of ECDSA and BLS — may be at risk if they have not audited their specific implementations.
The attack also raises questions about node onboarding procedures. THORChain’s permissionless node model allows anyone to join the active set by staking RUNE, the network’s native token. While this aligns with the ethos of decentralization, it also means that malicious actors can enter with minimal friction, as demonstrated by the Dinosauruss node.
Recovery and Next Steps
THORChain has since resumed operations with the patched software. The team has stated that the stolen funds are not recoverable through protocol means, though they are working with law enforcement and blockchain analytics firms to trace the movement of assets. The attacker’s node has been removed from the active set, and the staked RUNE has been slashed as a penalty.
The incident has prompted renewed calls for formal verification of cryptographic implementations in DeFi protocols. Several other cross-chain projects have announced internal audits of their GG20 and related signing code in the wake of the exploit.
Conclusion
The THORChain exploit is a sobering reminder that even well-funded, audited protocols can fall victim to known cryptographic weaknesses if those weaknesses are not proactively addressed. For users, the event underscores the importance of understanding the security assumptions behind the DeFi protocols they use — and the risks of trusting permissionless node networks with significant value. The industry will be watching closely to see whether THORChain and others can close the gap between theoretical security and operational reality.
FAQs
Q1: What is the GG20 vulnerability?
The GG20 vulnerability is a flaw in a threshold signature scheme that allows a malicious participant in a multi-party computation to extract the group’s private key by manipulating the signing process. It was first documented in academic research in 2020.
Q2: How much was stolen from THORChain?
Approximately $10.7 million in various crypto assets, including Bitcoin, Ether, and stablecoins, was drained from THORChain’s liquidity pools on May 15.
Q3: Was the vulnerability known before the attack?
Yes, the GG20 vulnerability was known in cryptographic research circles. However, THORChain had not implemented specific mitigations at the protocol level before the exploit occurred.
