Charles Guillemet@P3b7_
This morning, THORChain was drained of roughly $10.8m
Node operators have freezed the network for nearly 13 hours. The full analysis isn't out yet, but according to @jpthor, this could be a MPC exploit.
ECDSA and TSS is hard. THORChain's vaults rely on TSS, a flavor of MPC where a quorum of nodes jointly produces a signature without ever reconstructing the private key. Clean for Schnorr or EdDSA; painful for ECDSA, which Bitcoin and Ethereum require. That's why we saw plenty of protocol attempts (Lindell17, GG18, GG20, CMP, CGGMP21, DKLS, KU23...), each patching flaws in the previous one.
GG20 has a track record. THORChain's TSS uses GG20, on a fork of Binance's tss-lib. GG20 has shipped two well-publicized critical bugs: CVE-2023-33241 and TSSHOCK. CGGMP21, now cggmp24, are the latest protocols, but GG20 is still widely deployed.
I often hear a misconception when I hear about MPC setup: "The key is split across many nodes, so any single co-signer doesn't really matter".
In every published GG18/GG20 attack, one malicious or compromised co-signer is enough to extract everyone else's shard and reconstruct the full key.
AI changes the threat model. Compromising a full software node, complex Go stack, exposed P2P, custom signing daemons, a churn protocol that admits new participants on a schedule, has always been difficult and acted as a barrier. With LLM-driven vulnerability discovery and exploit synthesis, the bar to compromise one of N validators is dropping fast.
Here, it's a plausible TSSHOCK-style playbook:
- compromise one operator
- wait for it to churn into an active Asgard vault
- send malformed proofs during keygen or signing
- reconstruct the key offline
- sweep in a single transaction
It's unclear yet if the attacker used a known-unpatched GG20 weakness, or a fresh cryptographic flaw.
But, in all cases, MPC and TSS are not a substitute for hardening every co-signer. They sit on top of co-signers that must each be treated as critical infrastructure, hardware-isolated enclaves, minimally exposed, continuously audited, and running protocol with security proofs.
While the investigation progresses, be careful in your interactions onchain. These TSS setup are used in various protocols.
