Vaultstone Advisory

Thorchain didn't lose $10.7M to a smart contract bug or a stolen key. The bug was in the cryptography itself - and Thorchain probably isn't the only chain running on it. A single attacker bonded RUNE and joined the validator set days before the incident, looking like any legitimate operator. From inside, they exploited what investigators currently believe was a flaw in GG20, the threshold signature library Thorchain uses to co-sign transactions. Each signing session leaked a fragment of private key material to the attacker's node. After enough sessions, they had collected enough leaked data to mathematically reconstruct the vault's full private key. Then they signed unauthorized outbound transactions as the vault. The smart contracts behaved correctly. No validator infrastructure was breached. Funds left through normal channels because the signatures were mathematically valid - just produced by an attacker who had silently rebuilt the key. Here's why this matters beyond Thorchain. GG20 was published in 2020 (Gennaro-Goldfeder). The Alpha-Rays attack (Verichains, 2023) and TSSHOCK at BlackHat 2023 documented practical weaknesses in tss-lib and related implementations. Some teams patched. Many didn't bother. Based on shared library lineage, protocols that should audit their TSS right now include Mayachain (direct THORChain fork), Sygma cross-chain bridge, Keep Network's tBTC v1, and any service still running on bnb-chain/tss-lib or ZenGo-X/multi-party-ecdsa. Major custody and MPC services that already migrated to newer threshold schemes (CGGMP21, DKLs): Fireblocks, Coinbase Custody, Taurus, Silence Laboratories. The industry has been quietly moving away from GG20 for two years. Thorchain just gave everyone still on it a reason to move faster.