Scoobydoo

The haters celebrated a $10.7M exploit like THORChain was finished. 🤡 Meanwhile the protocol has already processed tens of billions in native cross-chain volume and survived every major crypto extinction event thrown at it. ⚔️ 2021 exploits. Luna collapse. FTX contagion. ThorFi crisis. Regulatory attacks. Now GG20. Yes, losing 1 of 5 Asgard vaults was an expensive lesson. But this network was built for pressure, not comfort. 🛡️ And while CT farms “THORChain is dead” engagement, builders are already testing the next chapter: ⚡ 7-node chainnet running ⚡ 2-3x faster performance observed ⚡ Keygen working ⚡ Keysign working ⚡ Scaling tests toward 30+ nodes underway The funniest part? Most people discovering GG20 problems today are 2 years late. 😂 The industry already started moving away after Alpha-Rays and TSSHOCK exposed weaknesses in 2023. THORChain just accelerated the transition publicly. $10.7M stolen. Tens of billions already processed. Project still alive. Builders still shipping. That’s the difference between hype chains and antifragile infrastructure. GG20 was the past. DKLS is the future. 🔥 $RUN

Thorchain didn't lose $10.7M to a smart contract bug or a stolen key. The bug was in the cryptography itself - and Thorchain probably isn't the only chain running on it. A single attacker bonded RUNE and joined the validator set days before the incident, looking like any legitimate operator. From inside, they exploited what investigators currently believe was a flaw in GG20, the threshold signature library Thorchain uses to co-sign transactions. Each signing session leaked a fragment of private key material to the attacker's node. After enough sessions, they had collected enough leaked data to mathematically reconstruct the vault's full private key. Then they signed unauthorized outbound transactions as the vault. The smart contracts behaved correctly. No validator infrastructure was breached. Funds left through normal channels because the signatures were mathematically valid - just produced by an attacker who had silently rebuilt the key. Here's why this matters beyond Thorchain. GG20 was published in 2020 (Gennaro-Goldfeder). The Alpha-Rays attack (Verichains, 2023) and TSSHOCK at BlackHat 2023 documented practical weaknesses in tss-lib and related implementations. Some teams patched. Many didn't bother. Based on shared library lineage, protocols that should audit their TSS right now include Mayachain (direct THORChain fork), Sygma cross-chain bridge, Keep Network's tBTC v1, and any service still running on bnb-chain/tss-lib or ZenGo-X/multi-party-ecdsa. Major custody and MPC services that already migrated to newer threshold schemes (CGGMP21, DKLs): Fireblocks, Coinbase Custody, Taurus, Silence Laboratories. The industry has been quietly moving away from GG20 for two years. Thorchain just gave everyone still on it a reason to move faster.

Important Announcement Trading on THORChain is currently halted after a vault was compromised. Initial indications are user funds are safe and only protocol owned funds are affected. The network automatically detected abnormal behavior and halted signing activity, which alerted the broader community and prevented further outbound transactions. The investigation is still ongoing to determine the root cause. Contributors are actively working on the issue and we will report updates as we progress toward a solution. What we currently know: * One of the six Asgard vaults appears to have been compromised. * Current estimates place the loss at approximately $10.7m USD * The network automatically detected the abnormal behavior and halted signing activity, preventing further outbound activity. * Nodes securing the vault were subject to their bonded RUNE being slashed as a result of the unauthorized outbound transactions. * Churn activity has been paused while the investigation and remediation efforts are ongoing. * Onboarding additional chains and operations requiring churns will be delayed until the network is stabilized. * Initial indications show no individual user swaps were affected. We are asking all node operators to immediately review their infrastructure, hosts, key management systems, and operational security for any signs of compromise or abnormal behavior, and to report anything suspicious in Discord. Node operators participating in the affected vault are requested to securely provide Bifrost logs to the dev team for analysis using 'make relay' .