THORChain exploit raises fresh concerns over MPC wallet security

THORChain halted trading and signing activity after one of its Asgard vaults was compromised in an exploit that drained roughly $10.7 million to $10.8 million. This is according to statements from the protocol and security researchers.

In an announcement posted on 15 May, THORChain said the network automatically detected abnormal activity and suspended signing operations to prevent additional outbound transactions.

The protocol said:

• one of six Asgard vaults appears to have been compromised,
• churn activity has been paused,
• and node operators have been asked to review infrastructure, key management systems, and operational security for signs of compromise.

THORChain added that initial indications suggest user funds were not directly affected and that the losses appear limited to protocol-owned funds.

Ledger CTO points to possible TSS vulnerability

Charles Guillemet suggested the incident could involve a weakness tied to threshold signature scheme [TSS] infrastructure.

Referencing comments from THORChain contributor JP Thor, Guillemet said the exploit “could be a MPC exploit” involving GG20. This is a threshold signature protocol used in some multi-party computation [MPC] wallet systems.

THORChain’s vaults rely on TSS, a cryptographic system designed to allow multiple nodes to jointly produce signatures without reconstructing the full private key in one place.

However, Guillemet noted that earlier GG18/GG20-family protocols have historically faced critical vulnerabilities, including:

• CVE-2023-33241,
• and TSSHOCK.

He argued that in some previously documented attack scenarios, a single compromised co-signer could reconstruct enough information to recover the full signing key.

AI-assisted attacks may be changing validator security assumptions

One of the more notable parts of Guillemet’s analysis focused on artificial intelligence and infrastructure security.

He warned that advances in LLM-assisted vulnerability discovery and exploit generation may reduce the difficulty of compromising validator infrastructure that was previously considered difficult to attack.

According to Guillemet, a potential attack scenario could involve:

• compromising a validator,
• waiting for it to join an active vault,
• exploiting malformed signing proofs during key generation or signing,
• and reconstructing vault keys offline.

At the same time, he cautioned that the exact root cause of the exploit remains unclear and said investigators have not yet confirmed whether a known GG20 weakness or a previously undiscovered flaw was involved.

Investigation remains ongoing

THORChain contributors said the investigation is still ongoing and that additional updates will be released as remediation efforts continue.

The incident adds to growing scrutiny around the security assumptions behind MPC and TSS infrastructure, which are increasingly used across cross-chain protocols, custody systems, and institutional crypto infrastructure.

Final Summary

• THORChain halted trading after a vault exploit drained roughly $10.8 million from protocol-owned funds.
• Security researchers and Ledger CTO Charles Guillemet said the incident may involve weaknesses tied to MPC/TSS signing infrastructure.