Thorchain Exploit Exposes Cross-Chain Security Fault Arabian Post

(MENAFN- The Arabian Post) clearfix">THORChain has halted core network activity after a coordinated exploit drained about $10.7 million from one of its liquidity vaults, putting fresh scrutiny on the security model behind decentralised cross-chain swaps.

The incident took place on May 15 and affected a single vault within the protocol's infrastructure. Early estimates placed the loss lower, but subsequent checks revised the figure to about $10.7 million. The remaining vaults were not drained, while Solana-linked assets were described as unaffected because they rely on a different signing architecture.

The breach centred on a malicious node operator that entered the active validator set two days before the theft. The operator was assigned to a vault and later exploited a weakness in the GG20 threshold signature system, a cryptographic process used to allow multiple node operators to approve transactions without any one participant holding a full private key. The vulnerability allowed the attacker to reconstruct key material for one vault and broadcast unauthorised outbound transactions directly.

THORChain's automatic solvency monitoring detected abnormal balance changes within minutes. Trading and signing functions were halted across multiple chains, including Ethereum, BNB Chain, Base, Avalanche, Dogecoin and Cosmos-related infrastructure. Node operators then used emergency governance controls to extend the halt across trading, signing, observation and validator churning, preventing the suspected malicious node from exiting the network or further activity from spreading.

The attack exposed the delicate balance in decentralised finance between automation, distributed control and operational risk. THORChain was designed to support native asset swaps across blockchains without relying on wrapped tokens or centralised custodians. That structure has made it one of the better-known cross-chain liquidity networks, but it also means that any weakness in validator coordination, vault signing or infrastructure design can carry multi-chain consequences.

See also Cardano card targets Japan's QR payments

The stolen assets were traced across Bitcoin, Ethereum, BNB Chain and Base-linked routes, with the attacker moving funds in a sequence of smaller and larger transactions. Initial activity suggested testing before the full sweep, a pattern commonly seen when an attacker verifies that a route can be used before extracting higher-value balances. The targeted vault contained protocol-owned liquidity rather than direct user deposits, though the distinction may still matter little to holders if recovery costs are spread through the system.

The protocol's developers released patch version 3.18.1 as an immediate safeguard while investigators continued to assess the root cause. A fuller recovery plan is being handled through community governance under ADR-028, which is expected to determine how losses are absorbed and how operations resume. Options under discussion include using protocol-owned liquidity, adjusting synthetic asset positions and directing future protocol income towards replenishing reserves.

RUNE, THORChain's native token, came under pressure after the exploit, falling sharply as traders weighed the size of the loss against the network's ability to contain further damage. The token remains central to the protocol's economic security model, as node operators must bond RUNE to participate in validation and vault operations. Any prolonged weakness in confidence can therefore affect both liquidity and network participation.

The exploit also raises questions for other projects using similar threshold-signature systems. GG20-style signing is intended to reduce single-key risk by distributing control among multiple parties. The THORChain incident shows that implementation flaws, poor randomness generation, signing isolation weaknesses or compromised participant behaviour can still create severe exposure if safeguards fail before key material is reconstructed.

See also Sui removes stablecoin gas barrier

Developers have withheld some technical details to avoid giving attackers a ready blueprint before other systems can check their own implementations. That delay is common after cryptographic infrastructure failures, where full disclosure must be balanced against the risk of copycat attacks. Security teams are also examining whether the attack depended solely on THORChain's implementation or whether it indicates a wider class of risks for comparable deployments.

Cross-chain protocols remain a major target because they concentrate liquidity while interacting with several blockchains at once. Bridges and multi-chain liquidity networks have accounted for some of the largest digital-asset thefts of the past five years, with attackers repeatedly exploiting validator compromises, signature weaknesses, smart-contract bugs and operational lapses. Even when user funds are not directly drained, protocol-owned losses can weaken balance sheets, force governance trade-offs and reduce confidence among liquidity providers.

Arabian Post – Crypto News Network

MENAFN25052026000152002308ID1111165353