THORChain Asgard Vault Drained For $10.8M Via Rogue Validator Node

On May 15, 2026, a rogue validator node exploited a critical vulnerability in THORChain's GG20 threshold signature scheme (TSS) to drain approximately $10.8 million from one of six Asgard vaults across nine blockchains. The attacker's node (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) had joined the THORChain network just two days earlier on May 13, participating in routine GG20 signing operations before executing the exploit. THORChain's automated solvency monitoring system detected abnormal vault balances and auto-halted trading within 52 minutes. The exploit leveraged a documented weakness in the GG20 threshold signature implementation: gradual information leakage during signing rounds allowed a single compromised co-signer to reconstruct the full vault private key over time. According to THORChain's post-incident report, the attacker accumulated enough cryptographic key fragments across two days of participation to recover the complete signing key and unilaterally drain the vault. The stolen funds totaled approximately 3,443 ETH, 36.85 BTC, and 96.6 BNB, with additional amounts drained across Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. TRM Labs identified the initial recipient addresses including 0x82fc0d5150f3548027e971ec04c065f3c93154eb and 0xd477b69551f49c0519f9b18c55030676138890bd on EVM chains, bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 on Bitcoin, and rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz on XRP. The impact was significant but contained. The compromised vault represented approximately 20% of THORChain's protocol-owned funds in active vaults, and the RUNE token price fell roughly 15% following disclosure. Critically, user funds and liquidity provider positions were not affected — only protocol-owned liquidity was drained. THORChain's emergency response involved automated halts across Ethereum, Avalanche, BSC, Base, Dogecoin, and Gaia integrations, with 18-20 validators manually pausing additional operations via Discord governance. Trading was suspended for approximately 13 hours while the team assessed the damage. THORChain had already planned a migration from the vulnerable GG20 cryptographic system to the more secure DKLS implementation prior to the incident. Recovery efforts are proceeding through community governance under ADR-028, where node operators will determine restoration methods for the lost funds. This marks THORChain's most significant security incident since its 2021 exploits, bringing cumulative protocol losses to approximately $25 million according to TRM Labs. For users of cross-chain DeFi protocols, this incident underscores the importance of understanding the cryptographic assumptions underlying threshold signature schemes. Validators in decentralized networks serve as trust anchors, and a single malicious participant with sufficient time can compromise vault security if the underlying signature scheme permits gradual key recovery. Users should monitor protocol announcements through official channels only — THORChain warned that phishing scams impersonating recovery portals appeared within hours of the exploit.