THORChain, a decentralized cross-chain liquidity network, has been affected by a significant exploit that resulted in the loss of approximately $10.7 million from one of its vaults.
The incident was caused by a combination of two factors: a vulnerability in the GG20 threshold signature system and the actions of a malicious node operator. The GG20 scheme is designed to distribute control of private keys across multiple node operators, preventing any single entity from accessing the complete key individually. However, the detected flaw allowed the malicious node to reconstruct the full private key of a vault through progressive leakage of cryptographic material.
The protocol's automatic solvency controls activated quickly in response to the breach, halting signing and trading operations across multiple chains without human intervention. Node operators then coordinated a full network shutdown, which was completed within two hours of the incident. A patch was deployed to fix the vulnerability.