On May 15, 2026, THORChain suffered a security exploit that resulted in the loss of approximately $10.7 million in digital assets. A malicious node operator exploited a vulnerability in the GG20 threshold signature scheme to reconstruct a vault's private key, allowing unauthorized outbound transactions across multiple chains including Bitcoin, Ethereum, BSC, Base, AVAX, DOGE, and GAIA.
The attacker, using the Discord handle Dinosauruss, joined the community on May 1 and inquired about node churn timing. By May 13, their node (n84q) entered the active validator set with 635,000 RUNE bonded. For two days, the node participated in routine signing ceremonies, progressively leaking key material until the full private key was reconstructed. Once obtained, transactions were signed and broadcast directly, bypassing the GG20 ceremony.
THORChain’s reactive solvency checker identified the divergence within minutes, triggering automatic halts on affected chains. Community members quickly flagged suspicious transactions, and node xuuu initiated a manual 720-block pause. Within two hours, approximately 18 to 20 nodes stacked pauses, and formal Mimir governance votes activated network-wide halts at blocks 26183438 through 26183849, locking down trading, signing, and churning to prevent the attacker from exiting.
On-chain forensics linked the malicious node to the receiving Ethereum addresses, and the loss estimate was revised to $10.7 million. Coordination with Outrider Analytics and law enforcement began immediately. By May 18, the development team prepared patch v3.18.1, withholding technical details to allow other projects using GG20 to address the flaw. Node operators were instructed to scale down Bifrost pods before the release.
The THORChain Foundation outlined its recovery plan: the primary buffer is Protocol Owned Liquidity (POL), which will absorb the initial losses. Any remaining deficit will be distributed proportionally among holders of synthetic assets (Synths). Crucially, the foundation committed to no dilution of existing RUNE tokens—no additional RUNE will be issued or sold to cover the losses. The exact ratio for Synth adjustments is still being finalized. Longer-term, the protocol had already been migrating to the more secure DKLS signature scheme, with Silence Labs engaged since November 2025, but GG20 remained in production at the time of the attack.
The incident adds to a growing tally of DeFi exploits, with over $620 million lost through April 2026. Community governance will decide further steps under ADR-028, with implementation expected in v3.19.
