the coinformer
Contact About
Live 5m

THORChain report says hacker bonded $370K in RUNE before $10.7M vault drain

The post-mortem report suggests the hacker risked about $370,000 in bonded RUNE to enter the validator set two days before the attack.

THORChain, a decentralized cross-chain liquidity protocol, said a May 15 attack drained about $10.7 million from one vault after the suspected attacker entered its validator set with about 635,000 RUNE, worth roughly $370,000 before the exploit.

In its post-mortem report, THORChain said the suspected attacker, whose identity and country of origin remain unclear, joined the protocol's validator set on May 13, two days before the attack, with about 635,000 RUNE bonded across two addresses.

But the whole setup appears to have started weeks earlier

On May 1, a freshly created Discord account named "Dinosauruss" (dinosauruss_53308) joined THORChain's developer Discord and began asking how to get a node churned into the network, according to the report.

The account appeared eager to get the node active as soon as possible, but an unrelated delay in THORChain's normal three-day churn cycle forced it to wait.

THORChain said the suspected attacker exploited a weakness in GG20, the cryptographic signing system used by its vaults, which was meant to stop any one node from holding the full private key.

The report says the suspected attacker appears to have rebuilt the full vault key after taking part in routine signing activity. Once that happened, the attacker didn't need THORChain's normal approval process anymore and could sign transactions directly.

  • It's still unclear how the hacker rebuilt the full vault key.
  • The report implies that the leading theory is that an undisclosed flaw in THORChain's GG20 signing setup allowed key material to leak over time during routine signing activity.
  • Once the attacker had enough key material, they allegedly bypassed THORChain's normal signing process and sent transactions directly from the vault.

As THORChain noted, the exploit happened while it was already preparing to stop using GG20 as it wanted to move to DKLS, a newer signing system.

In November 2025, THORChain hired Silence Labs, a crypto security company that works on shared-key signing tech, to build a custom DKLS version for the network, the post-mortem reads.

But the new system wasn't ready yet since THORChain said it needed a version that could show which node caused a signing process to fail. Standard DKLS didn't offer that in the way THORChain needed, so GG20 stayed live while Silence Labs worked on the custom upgrade.

That left THORChain using GG20 when the suspected attacker found a way to exploit it.

👀 4