THORChain faces backlash over GG20 fix after $10.7M hack

THORChain has faced criticism from crypto security researchers and investors after proposing to continue using its patched GG20 signing framework following a $10.7 million exploit tied to the system.

According to a post-mortem report released by THORChain on Wednesday, a malicious node operator exploited a flaw in the protocol’s GG20 threshold signature scheme and reconstructed a full private key linked to one of the network’s vaults.

The report said the exploit was made possible through “progressive key material leakage,” allowing the attacker to bypass the protections normally created by distributing signing authority across several node operators.

Within minutes of the breach, THORChain said its automatic solvency checks suspended signing and trading activity across multiple chains without requiring manual intervention. Node operators later coordinated through Discord to halt the network entirely and deploy a fix within roughly two hours.

While the protocol credited the safeguard systems for preventing additional losses, criticism emerged after governance proposal ADR-028 recommended keeping the GG20 threshold signature system in place with upgrades rather than replacing it outright.

Why are security researchers questioning the GG20 framework?

Concerns around the proposed recovery plan intensified after several crypto analysts publicly questioned the reliability of GG20-based infrastructure.

Pseudonymous crypto project analyst Bird wrote on X that the initial exploit suggested the signing stack may contain “a flaw in randomness generation or local signing isolation.” At the same time, Bird praised THORChain’s automated solvency protections for limiting the damage before more vaults could be drained.

More critical reactions followed from crypto investor JP, who argued on X that GG20 carries “many brittle assumptions” and described the framework as a “black box” that may remain difficult to secure even with repeated patches.

Under ADR-028, THORChain would first absorb losses through protocol-owned liquidity before distributing remaining losses across synth holders. The proposal also seeks to rebuild depleted liquidity reserves over time using a portion of protocol income rather than minting or selling additional THORChain tokens.

At the same time, THORChain said trading activity would remain paused until the vulnerability is fully fixed. The protocol also announced plans to slash the malicious validator node while shielding unrelated node operators that shared the compromised vault.

How does the attack fit into rising crypto security threats?

The exploit arrived as blockchain security firms continue tracking a rise in sophisticated attacks targeting crypto infrastructure and executives.

Data from DefiLlama shows crypto exploits resulted in more than $634 million in losses during April alone. Earlier this year, blockchain investigator ZachXBT was among the first to flag the THORChain exploit before the protocol publicly halted trading and signing operations.

Separately, blockchain security firm PeckShield recently disclosed that THORChain co-founder JP Thor lost roughly $1.3 million in a separate attack linked to a compromised Telegram account and a deepfake Zoom call.

In a detailed post shared on X, JP Thor said the attackers used a fake video feed impersonating a friend before triggering a malicious script that copied files from his iCloud documents folder. 

He added that his MetaMask wallet, which was connected to an inactive Chrome profile and stored through iCloud Keychain, was drained without warning prompts or admin approval requests.

Security researchers have linked similar attacks this year to North Korean hacking groups that increasingly rely on deepfake video calls, malware, fake job offers, and social engineering campaigns targeting crypto executives and developer networks.

Earlier this year, blockchain analytics firm TRM and law enforcement agencies attributed the $1.5 billion Bybit theft to North Korea-linked actors.