Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
How the THORChain Attacker Quietly Reconstructed a Private Key and Drained the Vault
-
The mechanics behind the THORChain exploit are more sophisticated than a typical smart contract bug. According to THORChain's own incident update, the leading theory is that the attacker exploited a vulnerability in the GG20 threshold signature scheme implementation, a cryptographic method used to manage vault keys across multiple parties. The flaw allowed sensitive vault key material to leak gradually over time rather than all at once. By accumulating enough of this leaked data, the attacker was eventually able to reconstruct the vault's private key and authorize outbound transactions without legitimate approval, effectively giving them full control over the funds.
The attack also had a setup phase that went unnoticed until it was too late. A newly churned node entered the THORChain network several days before the exploit occurred, and onchain analysis has since identified links between that node's bonding addresses and the wallets that received the stolen funds. THORChain's treasury is now working with Outrider Analytics and relevant law enforcement agencies to collect forensic data, identify the attacker, and pursue recovery of stolen funds where possible. The incident highlights a growing pattern in crypto security where the most damaging attacks are not rushed smash-and-grab operations but slow, calculated infiltrations that exploit infrastructure-level weaknesses over days or weeks.
