Incident case

THORChain 2026 GG20 TSS vault exploit

In May 2026, a newly churned node operator exploited a vulnerability in THORChain's GG20 threshold-signature implementation, reconstructed a vault private key, and drained approximately $10.7 million from one Asgard vault across multiple chains.

reviewedcurrent

Incident facts

Incident title: THORChain 2026 GG20 TSS vault exploit
Bridge: THORChain
Incident date: 2026-05-15
Incident type: Exploit
Major incident: Yes
Affected chains: THORChain, Bitcoin, Ethereum, BNB Chain, Avalanche, Unknown
Affected assets: BTC, ETH, USDC, USDT, WBTC, DAI, Unknown
Attack category: Validator Key Compromise
Reported loss: $10.7 million official estimate; more than $11 million later analytics estimate
Recovery: Unknown
Reimbursement: Unknown
Restart: Paused
Current outcome: Paused Long Term
Resolution: Unresolved
Last reviewed: 2026-06-15
Last verified: 2026-06-15

Timeline events

GG20 TSS vault exploit disclosed2026-05-15
A May 2026 threshold-signature incident drained one Asgard vault before automatic solvency controls halted the network.
Exploit DisclosedHigh
TSS patch released and recovery options moved to governance2026-05-20
THORChain reported a patched release and governance review of recovery options while final loss allocation remained pending.
Patch And Recovery ReviewHigh

Evidence records

THORChain Exploit Report #1
THORChain · Tier 1 · 2026-05-20
THORChain Exploit Drains $11M Across at Least Nine Chains: What TRM Knows Now
TRM Labs · Tier 1 · 2026-05-21
THORChain - REKT III
Rekt · Tier 3 · 2026-05-21

Known unknowns

The final recovered amount and loss allocation are not established.
A follow-up technical report and finalized recovery plan were pending in the reviewed official publication.
The exact relationship between the exploited GG20 weakness and previously disclosed GG20 vulnerability classes remains under investigation.