THORChain's GG20 Hack Exposes a Cryptography Flaw That Could Hit Other Protocols

The funds left through completely valid signatures. No contract failed. No key was stolen through phishing. One validator rebuilt the vault’s private key, piece by piece, from inside the network.

That is what THORChain’s ongoing investigation has found so far, and it changes how this incident should be read.

As we reported yesterday in our initial breakdown of the $10.8M exploit, SamYap, a THORChain node operator, was the first to flag the abnormal outflows. Four coordinated transfers of 1,866 ETH each cleared within 13 minutes, all without memo fields, all routed to an external sink. The global emergency halt came from node operators, not the core team. Trading remains paused.

Now investigators know more about how it was actually done.

The Bug Was in the Math, Not the Code

THORChain’s incident update #1 on X named a newly churned validator node, identified on-chain as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, as the current leading suspect. Ethereum addresses used to bond RUNE for that node were traced to addresses that later received stolen funds. Based on current evidence, THORChain’s contributors believe this was a single malicious operator, though the investigation is ongoing.

The leading theory, per the same update, is an exploit targeting GG20, the threshold signature library THORChain uses to co-sign vault transactions. Each signing session leaked a small fragment of private key material to the attacker’s node. After accumulating enough fragments across multiple sessions, the attacker mathematically reconstructed the full vault private key. From that point, signing unauthorized outbound transactions required nothing unusual. The signatures were valid. The smart contracts behaved correctly.

As zacodil posted on X in a technical breakdown on May 15:

“The smart contracts behaved correctly. No validator infrastructure was breached. Funds left through normal channels because the signatures were mathematically valid — just produced by an attacker who had silently rebuilt the key.”

That post, at zacodil’s thread on X, is the clearest public explanation of the attack mechanism available at publication time.

Who Else Is Running This Library

GG20 was published in 2020 by researchers Gennaro and Goldfeder. Known weaknesses in GG20-family implementations were already documented publicly. The Alpha-Rays attack by Verichains in 2023, and TSSHOCK at BlackHat the same year, showed that practical exploitation of tss-lib and related implementations was achievable. Some teams patched. Others did not.

Based on shared library lineage, zacodil named the protocols that should be auditing their TSS implementations right now: Mayachain, a direct THORChain fork; Sygma, the cross-chain bridge; Keep Network’s tBTC v1; and any service still running on bnb-chain/tss-lib or ZenGo-X/multi-party-ecdsa.

For a DeFi user or cross-chain liquidity provider with funds in those systems, that list is not background reading. It is an immediate risk assessment.

Fireblocks, Coinbase Custody, Taurus, and Silence Laboratories had already moved to newer threshold schemes, specifically CGGMP21 and DKLs, before this incident. According to zacodil’s analysis, institutional custody had been quietly stepping away from GG20 for roughly two years. THORChain just made that migration visible.

Six Times. Six Completely Different Ways.

What makes the current incident harder to absorb is what it sits inside. In a separate post on X, zacodil mapped every THORChain security incident going back to 2021, and the attack vector has never repeated.

In 2021, an ETH Router smart contract bug let attackers manipulate msg.value events through Bifrost. Three exploits that year cost around $15.5M. In 2022, non-deterministic validator software caused a 20-hour outage. In 2023, a TSS keygen vulnerability was discovered before funds were drained, but the network halted preemptively. In January 2025, the THORFi economic model collapsed because the lending structure required RUNE to keep outperforming BTC and ETH. $200M locked. In September 2025, North Korean operatives ran a Telegram deepfake targeting co-founder JP Thorbjornsen, pulled his MetaMask keys from iCloud Keychain, and took $1.35M from his personal wallet.

Now the sixth: GG20 cryptography. A malicious validator leaked key material across signing sessions until the vault could be reconstructed. $10.7M drained in under 15 minutes.

Total direct losses and trapped funds across all six incidents sit at approximately $227M, per zacodil’s accounting. That number does not include the roughly $605M in Bybit and Lazarus-linked funds that were laundered through the protocol in 2025, after validators initially voted to block the flows then reversed under what zacodil described as “code is law” pressure.

The Scams Started the Same Day

Within hours of the incident going public, fake accounts began pushing refund offers, airdrop claims, and compensation programs aimed at confused RUNE holders.

THORChain’s incident update #2 on X addressed this directly. Initial findings indicate no user funds were lost in the exploit. The protocol is running no refund program, no airdrop, and no compensation scheme. Any account claiming otherwise is either impersonating THORChain or spreading misinformation. THORChain directed users to rely only on official communication channels for updates.

The investigation continues alongside THORSec, Outrider Analytics, and relevant law enforcement. Recovery options under discussion include slashing the bonds of nodes that participated in the compromised vault, and using Protocol-Owned Liquidity to absorb losses. No final decisions had been made at time of publication.

Trading, LP actions, signing, and all sensitive operations remain paused while node operators and contributors work toward a remediation plan. Full recovery of functionality could take several days or longer, depending on the path chosen.