THORChain published its first official post-mortem of the May 15 exploit today, May 21, 2026, through a social media post on X (formerly known as Twitter). According to the report, about $10.7 million was stolen from one of its five vaults. The report says that the attacker was a freshly churned node operator who exploited a flaw in THORChain’s GG20 threshold signature implementation.
Automatic monitors flagged the deficit within minutes and shut down trading across several chains; node operators then layered manual pauses and on-chain votes to freeze the whole network within roughly two hours.
What stands out now is that investigators linked the malicious node to the wallets that received the stolen funds, raised the estimated loss from the earlier $7.4 million, and THORChain released an emergency update (v3.18.1) to help secure the remaining vaults while the investigation continues.
How THORChain Keys Work and How They Failed
THORChain does not use a single private key for a vault. Instead, it uses a Threshold Signature Scheme (TSS) called GG20, where independent nodes each hold a share of the key and jointly create valid signatures without ever reconstructing the full private key in one place.
The new report says the attacker managed to reconstruct the full private key despite the GG20 setup. In plain terms, the attacker used a weakness in the GG20 implementation to extract enough secret material to sign outgoing transactions directly, bypassing the normal multi-party signing ceremonies that are supposed to prevent any one party from controlling funds.
Why The Other Vaults Were Safe
The incident affected only one vault and the other five vaults were not drained. THORChain confirms EdDSA-based chains (for example Solana) were not vulnerable to this attack vector because they do not use the same GG20 signing approach. That meant the SOL pool was explicitly safe.
Automatic and manual defenses contained the damage
The network has a protective system that together limits further losses. First, an automatic solvency checker continuously compares expected vault balances to on-chain balances. That checker detected the shortfall within minutes and automatically halted the trading and signalling on multiple chains, including Ethereum, Avalanche, Binance Smart Chain and few others, without human action.
Second, node operators used manual pause functions and Mimir on-chain parameter votes to freeze activity more broadly. A sequence of 720-block manual pauses stacked by different nodes created a multi-hour window, and three Mimir votes (the threshold for operational parameters) activated global halts for trading, singing, chain observation and churning.
Churning, the process that lets nodes enter or leave the validator set, was paused to prevent the attacker from exiting and to stop any other malicious node from joining.
THORChain Reveals New Details in Exploit Post-Mortem
THORChain released its first formal incident report, revealing that the attacker’s node joined the active validator set just two days before the exploit, possibly through social engineering. The team also increased the estimated losses from $7.4 million to $10.7 million after deeper on-chain tracing.
Developers confirmed they had been preparing a migration from GG20 to a more secure DKLS-based system with Silence Laboratories, but the upgrade was not ready in time. THORChain has now released patch v3.18.1 and asked node operators to reduce certain services while security updates continue.
Recovery Efforts and Next Steps
THORChain is continuing investigations with forensic experts and law enforcement while the community discusses recovery options under ADR-028. Possible measures include bond slashing and the use of protocol-owned liquidity to cover losses.
The team also plans to release a deeper technical breakdown once it is safe to disclose more details to other projects still using GG20.
Despite the exploit, THORChain’s monitoring systems and fast response helped contain the damage to a single vault. Attention is now shifting toward recovery decisions, patch deployment and completing the network’s longer-term cryptography upgrade.