THORChain exploit tied to malicious node and GG20 flaw

The $10.7 million THORChain exploit was caused by a GG20 vulnerability, which allowed a malicious node to reconstruct a full private key to one of its vaults.

THORChain said a malicious node operator exploited a vulnerability in its GG20 threshold signature system to drain about $10.7 million from one of the protocol’s vaults.

The GG20 threshold signature scheme is used to secure THORChain vaults by splitting key control across multiple node operators, meaning no single node normally holds the full private key.

The vulnerability allowed the malicious node operator to reconstruct a full private key for one vault, through “progressive key material leakage,” the protocol said in a post-mortem report released on Wednesday.

Read more