GG20 TSS cryptographic flaw allowed malicious node to reconstruct vault key and drain $10.7M across 10 chains
On May 15, 2026, a single malicious node churned into THORChain's validator set. Over two days of routine signing ceremonies, the attacker reconstructed the vault's full private key from leaked cryptographic material. THORChain's GG20 fork (tss-lib v0.1.6) skipped the MOD/FAC proof checks that validate Paillier key formation. The attacker registered a malformed Paillier modulus with attacker-known factors. Each signing round leaked residues of honest participants' long-term key shares. With enough leaked material, the attacker reconstructed the vault's complete TSS private key. Using the reconstructed key, the attacker signed unauthorized outbound transactions across all 10 chains the vault held. The network's solvency checker detected the shortfall at block 26190429 and halted the network autonomously for 12 hours and 42 minutes.
All funds were pulled straight from the vault to attacker-controlled addresses — no intermediary contracts, no flash loans, no DEX routing. The direct on-chain extraction per chain: Ethereum ($5.2M in ERC-20s), Bitcoin ($3.26M), Dogecoin ($580K), BNB Chain ($450K), Litecoin ($580K), Avalanche ($280K), Bitcoin Cash ($150K), Base ($56K), XRP ($50K), TRON ($14K). No individual user swap funds were affected — all losses came from protocol-owned vault balances. Node operators securing the compromised vault had their bonded RUNE slashed. THORChain published ADR-028 recovery plan: Protocol-Owned Liquidity absorbs loss first, remainder spread across synth holders. A white hat bounty was offered.