Key Takeaways
THORChain (RUNE) has opened a community governance vote to determine its recovery path after a May 15 exploit where a rogue node operator drained approximately $10.7 million from a single vault, causing the network to halt all trading and signing operations. The RUNE token fell 10% on the day of the incident, according to CoinGecko data.
The protocol’s development team detailed the attack in a post-incident report, attributing the loss to a sophisticated exploit of its GG20 threshold signature scheme. “Through progressive key material leakage across multiple signing rounds, the attacker reportedly reconstructed the vault’s full private key,” the report stated. This allowed the attacker to sign transactions directly, bypassing the multi-party security model.
On-chain analysis confirmed the attacker entered the validator set on May 13 after bonding 635,000 RUNE. The exploit began two days later, with automated solvency checkers halting six chains within 52 minutes of the unauthorized transactions. Node operators then coordinated a full network lockdown using Mimir governance votes, preventing the malicious node from exiting and claiming its bond.
The incident adds to the more than $840 million lost to DeFi hacks in 2026, a year marked by increasingly sophisticated attacks on cross-chain infrastructure. The THORChain exploit specifically targeted the cryptographic layer, distinct from the social engineering or bridge-focused attacks that have characterized other major losses this year.
The attack was initiated by a new node operator who joined the developer Discord on May 1 under the handle Dinosauruss. After entering the active validator set, the operator used a flaw in the GG20 signing process to progressively leak key materials from a vault over two days. Once the full private key was reconstructed, the attacker drained the funds directly, with security researcher ZachXBT among the first to flag the suspicious outbound transactions on X.
THORChain’s security model responded in layers. The protocol’s automated solvency checker, which monitors for balance discrepancies, triggered first, halting activity on the affected chains. This was followed by a manual response from the community, with more than 18 node operators stacking pause commands to sustain a network halt while the situation was investigated. The team has since released patch v3.18.1 to address the vulnerability and is coordinating with other projects that use the same GG20 implementation.
The path to restoring full network functionality and addressing the financial loss now rests with a governance vote on Architecture Decision Record 028 (ADR-028). The proposal outlines a plan to make users whole by using the protocol’s own liquidity (POL) to cover the deficit. The plan explicitly states no new RUNE will be minted. It also includes a provision to offer the hacker a bounty for returning the majority of the funds. The vote will determine whether losses are absorbed by the protocol or if other measures, such as slashing the attacker's bond, will be used.
This article is for informational purposes only and does not constitute investment advice.
