THORChain Defends Patched GG20 Signing Framework After $10.7 Million Exploit
According to THORChain’s post-mortem and recovery proposal, the protocol will keep using patched GG20, avoid minting new RUNE, and seek node approval for a loss-absorption plan after the May 15 exploit.
THORChain is pursuing recovery from the May 15 exploit that drained about $10.7 million from a single vault while defending its decision to continue operating with a patched GG20 signing framework, according to its post-mortem report. Under ADR-028, the protocol said no new RUNE will be minted or sold; losses would first be absorbed through protocol-owned liquidity, reducing it to zero, with any remaining shortfall spread across synth holders and future system income redirected over time to replenish liquidity. THORChain said the attacker exploited a flaw in GG20 after reportedly joining as a node operator two days before the breach, while only one of five vaults was affected. The network said trading halts were triggered within minutes, a full lockdown followed in about two hours, GG20 has since been patched and upgraded, unaffected nodes in the compromised vault would not be slashed, and the proposal includes a 10% bounty offer for the attacker to return funds. The decision to retain patched GG20 has drawn criticism from crypto security researchers and investors, while Chainalysis published on-chain evidence linking the attacker to wallets funded through Monero, Hyperliquid, Arbitrum, and Ethereum.
- GG20 threshold signature scheme (TSS): A cryptographic signing system that splits control of vault keys across multiple nodes so no single operator holds the full private key.
- Protocol-owned liquidity: Liquidity reserves controlled directly by a blockchain protocol, which can be used to support operations, markets, or recovery measures.
- Post-mortem report: A formal review published after an incident that explains what happened, what caused it, and what remediation steps are being taken.