THORChain Network Halted: Unauthorized Access Triggers Suspension, RUNE Transfers to Resume Within 12 Hours

Network Halted Following Security Breach

On May 16th, the cross-chain liquidity protocol THORChain issued an urgent update via its official social channels, confirming a network-wide suspension triggered by a security incident. Preliminary evidence suggests the event originated from a recently onboarded network node that fell under the control of a malicious actor.

Root Cause: Exploitation of GG20 TSS Vulnerability

The investigation points to a critical weakness in the GG20 Threshold Signature Scheme (TSS). The attacker allegedly leveraged this vulnerability to access key information from vault participants. Using this data, they successfully reconstructed a vault private key and executed unauthorized withdrawal transactions.

Response Actions and Recovery Timeline

As part of the emergency response, multiple validator nodes within the THORChain network voluntarily halted operations to prevent further potential damage. This action resulted in a temporary suspension of normal transaction processing across the network.

The core development team is now focused on patching the vulnerability and restoring network operations. Based on the latest assessment, the transfer functionality for the RUNE token is expected to be gradually restored within approximately the next 12 hours. The team has committed to providing a detailed post-mortem and enhanced security measures in the follow-up.

• Current Status: Network halted, multiple functions unavailable.
• Root Cause: Suspected exploitation of a GG20 TSS protocol flaw.
• Impact: Vault security compromised, leading to unauthorized transactions.
• Recovery ETA: RUNE transfers to resume in ~12 hours.