nvk 🌞
129.6K posts
This morning, THORChain was drained of roughly $10.8m Node operators have freezed the network for nearly 13 hours. The full analysis isn't out yet, but according to @jpthor, this could be a MPC exploit. ECDSA and TSS is hard. THORChain's vaults rely on TSS, a flavor of MPC where a quorum of nodes jointly produces a signature without ever reconstructing the private key. Clean for Schnorr or EdDSA; painful for ECDSA, which Bitcoin and Ethereum require. That's why we saw plenty of protocol attempts (Lindell17, GG18, GG20, CMP, CGGMP21, DKLS, KU23...), each patching flaws in the previous one. GG20 has a track record. THORChain's TSS uses GG20, on a fork of Binance's tss-lib. GG20 has shipped two well-publicized critical bugs: CVE-2023-33241 and TSSHOCK. CGGMP21, now cggmp24, are the latest protocols, but GG20 is still widely deployed. I often hear a misconception when I hear about MPC setup: "The key is split across many nodes, so any single co-signer doesn't really matter". In every published GG18/GG20 attack, one malicious or compromised co-signer is enough to extract everyone else's shard and reconstruct the full key. AI changes the threat model. Compromising a full software node, complex Go stack, exposed P2P, custom signing daemons, a churn protocol that admits new participants on a schedule, has always been difficult and acted as a barrier. With LLM-driven vulnerability discovery and exploit synthesis, the bar to compromise one of N validators is dropping fast. Here, it's a plausible TSSHOCK-style playbook: - compromise one operator - wait for it to churn into an active Asgard vault - send malformed proofs during keygen or signing - reconstruct the key offline - sweep in a single transaction It's unclear yet if the attacker used a known-unpatched GG20 weakness, or a fresh cryptographic flaw. But, in all cases, MPC and TSS are not a substitute for hardening every co-signer. They sit on top of co-signers that must each be treated as critical infrastructure, hardware-isolated enclaves, minimally exposed, continuously audited, and running protocol with security proofs. While the investigation progresses, be careful in your interactions onchain. These TSS setup are used in various protocols.
The worst part of Covid was that 20 million people died
We won't be far behind if C-22 passes. In its current state, VPNs would almost certainly require us to log identifying user data. Signal isn't headquartered in Canada so they can just shut off Canadian servers, but our HQ is. We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We'll move HQ and take our taxes elsewhere.
🇫🇷 FRANCE ID AGENCY HACKED “On April 15, 2026 hackers breached the portal of the agency that handles every French passport, national ID card, driver's license, and vehicle registration. A threat actor using the alias "breach3d" posted 18–19 million stolen records for sale on criminal forums the very next day. The exposed data includes full names, dates of birth, email addresses, postal addresses, phone numbers, and account identifiers. If you hold a French identity document, you should assume your data is compromised”.
