keyseᚱ ⚡🍫 🎓

THORChain incident update #2 We have become aware of multiple fake accounts and false information circulating regarding “refunds”, “airdrops”, compensation claims, and other alleged initiatives. To be absolutely clear: - Initial findings indicate that no user funds were lost in the incident - THORChain is currently conducting no refund, airdrop, or compensation program - Any account claiming otherwise is impersonating THORChain or spreading misinformation. Please rely only on official THORChain communication channels for updates. THORChain contributors are still actively investigating the recent incident alongside THORSec and external security partners. More information will be shared as the investigation progresses.

THORChain incident update #1 THORChain contributors shared a new update in the dev discord regarding the ongoing incident. TLDR - Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor - The leading theory is an exploit in the GG20 TSS implementation, allowing vault key material to leak over time. The attacker may have reconstructed the vault private key and executed unauthorized outbound txs - Current network status: -- The network is paused after multiple node operators executed make pause -- RUNE transfers and chain observation may resume within ~12h unless decided otherwise by the nodes. -- Trading, LP actions, signing, and sensitive operations remain paused for now - Recovery discussions currently include slashing affected node bonds, using POL to absorb losses, or other community-driven solutions The investigation is still ongoing alongside THORSec and Outrider Analytics. ## Full Announcement ## Developers and THORSec have been investigating today’s incident continuously throughout the day. While new information may still emerge, I want to provide the community with an update based on what we currently know. The goal of this update is to clarify the current understanding of the situation as accurately and transparently as possible. A newly churned node, thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, which entered the network several days ago, is currently believed to be associated with the attack. Developers have identified links between Ethereum addresses used to acquire and bond RUNE for this node, and Ethereum addresses that later received the stolen funds. Based on current evidence, it is believed this was conducted by a single malicious operator, though the investigation remains ongoing. At this time, the leading theory is the attacker exploited a vulnerability within the GG20 TSS implementation which allowed sensitive key material from vault participants to leak over time. By accumulating enough leaked information, the attacker was ultimately able to reconstruct the vault’s TSS private key and execute unauthorized outbound transactions. The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible. Due to multiple node operators executing make pause, the network is currently paused. Unless further action is taken, the pause state will automatically expire in approximately 12 hours. At this time, the development team is comfortable allowing the pause to expire in order to restore RUNE transfers and chain observation activity. However, trading, signing, LP actions, and other sensitive operations will remain paused until the network and community align on a comprehensive recovery and remediation plan. The recovery process will likely require node governance decisions regarding how losses are ultimately handled. Several potential approaches are already being discussed, including: Slashing the bond of nodes participating in the affected vault Allowing Protocol-Owned Liquidity (POL) to absorb the loss Additional recovery proposals that may emerge from the broader community At this stage, no final decisions have been made. The team is continuing to work on a complete recovery and restart plan for the network. Bringing trading and full functionality back online will likely take several days, and potentially longer depending on the complexity of the chosen remediation path. We will continue to provide updates as more information becomes available. Finally, I want to thank the developers, node operators, security contributors, and the broader THORChain community for the enormous amount of work done today. One of THORChain’s greatest strengths has always been the community’s ability to come together under pressure, collaborate quickly, and solve difficult problems together.

Important Announcement Trading on THORChain is currently halted after a vault was compromised. Initial indications are user funds are safe and only protocol owned funds are affected. The network automatically detected abnormal behavior and halted signing activity, which alerted the broader community and prevented further outbound transactions. The investigation is still ongoing to determine the root cause. Contributors are actively working on the issue and we will report updates as we progress toward a solution. What we currently know: * One of the six Asgard vaults appears to have been compromised. * Current estimates place the loss at approximately $10.7m USD * The network automatically detected the abnormal behavior and halted signing activity, preventing further outbound activity. * Nodes securing the vault were subject to their bonded RUNE being slashed as a result of the unauthorized outbound transactions. * Churn activity has been paused while the investigation and remediation efforts are ongoing. * Onboarding additional chains and operations requiring churns will be delayed until the network is stabilized. * Initial indications show no individual user swaps were affected. We are asking all node operators to immediately review their infrastructure, hosts, key management systems, and operational security for any signs of compromise or abnormal behavior, and to report anything suspicious in Discord. Node operators participating in the affected vault are requested to securely provide Bifrost logs to the dev team for analysis using 'make relay' .

thorchain ($RUNE) just processed $176m in DPRK-linked exploit funds from ETH to BTC and the token is up 6.7% on the day. market is pricing pure utility at $0.45 with zero regulatory premium baked in. now monero integration launches may 10 with FROST threshold signatures enabling atomic ETH to BTC to XMR swaps. no KYC, no admin keys, no bridge contracts to freeze, 105 distributed nodes. this is the tornado cash test on steroids except thorchain is embedded in trust wallet, ledger, OKX, and bitget serving millions of users. too integrated to sanction cleanly, too effective at laundering to ignore. RUNE is the highest convexity vol setup in crypto right now. if privacy infra gets legitimized you own the cross-chain backbone. if treasury moves first you're holding the next sanctioned protocol. may and june will resolve this and the current price reflects neither outcome.