THORChain stated that, following the detection of unusual activity, the network has paused transactions and signing operations to prevent further fund outflows. According to disclosures by the protocol team and security researchers, an Asgard vault is suspected to have been compromised, resulting in losses of approximately $10.7 to $10.8 million.
The protocol's own funds are affected.
In a statement released on May 15, THORChain indicated that one of six Asgard vaults may have been compromised, and the current churn rotation process has been paused. The protocol has also requested node operators to review their infrastructure, key management systems, and operational security to identify any additional risks.
The protocol party initially indicated that user funds do not appear to have been directly affected; known losses are currently limited to the protocol’s own funds.
- Affected object: 1 Asgard vault
- Estimated loss: approximately $10.7 million to $10.8 million
- Current measures: Signatures paused, trading paused, churn paused
Researchers highlight MPC/TSS risks
Ledger Chief Technology Officer Charles Guillemet stated that this incident may be related to infrastructure vulnerabilities associated with threshold signature schemes. He cited THORChain contributor JP Thor, who suggested the attack “may have been an MPC attack,” referencing threshold signature protocols such as GG20.
THORChain's vaults rely on the TSS mechanism, which allows multiple nodes to jointly perform signatures without concentrating the full private key at a single point. Guillemet noted that protocols such as GG18 and GG20 have previously been exposed to serious vulnerabilities, including CVE-2023-33241 and TSSHOCK.
He also noted that in some publicly disclosed attack scenarios, a single compromised joint signature party could theoretically recover sufficient information to reconstruct the full signature key.
The attack path has not yet been confirmed.
Guillemet also noted that, with the vulnerability discovery and exploit generation capabilities of large models, the barrier for attackers to compromise validator infrastructure may be lowering. This means that node environments previously considered difficult to breach are now facing new security pressures.
The potential path he outlined includes: first gaining control of a validator node, waiting for it to enter the active vault, then exploiting anomalous proof data during key generation or signing, and ultimately reconstructing the vault key offline. However, he also emphasized that the root cause has not yet been confirmed, and investigators are still unable to determine whether this incident stems from a known GG20 vulnerability or a new, previously unknown one.
THORChain contributors stated that the investigation is still ongoing and further updates on remediation progress will be released. This incident has once again drawn market attention to the security of MPC and TSS infrastructure, as such solutions are widely used in cross-chain protocols, custodial systems, and institutional-grade crypto services.