Why THORChain Keeps Getting Hacked and Why It Keeps Coming Back
Last updated on July 5th, 2026 at 06:12 pm
What happens when a project gets hacked for millions of dollars?
Usually, the token dumps… the developers disappear… and the community is left with nothing.
But THORChain isn’t most projects.
For the fifth time in its history, THORChain was halted after a $10.7 million exploit… only to restart weeks later with new features and a renewed promise of security.
This isn’t just a story about a bug fix… it’s a story about a protocol that treats catastrophic failure as a part of its business model.
To understand if that’s brilliance or madness… you have to look at its long, painful history of getting it wrong.
Tale of a Leaking Key
Let’s begin with the latest Thorchain shutdown, which began on May 15, 2026… it was a result of a sophisticated attack on its core.
A malicious node operator didn’t blast through a wall… they slowly chipped away at it.
By exploiting a flaw in THORChain’s GG20 threshold signature scheme, they progressively leaked tiny fragments of key material.
Over time, these fragments were reassembled into a full private key, giving the attacker the keys to a vault and allowing them to drain over $10 million in assets.
The protocol’s response was predictable by now… a full network halt… a frantic month-long patching effort… and a complete migration of all vaults to a new, hardened system before going back online in late June.
The GG20 Signature Scheme
I realize that I just dropped a couple of phrases that might not make sense… especially to those of us who aren’t code developers…
So, I just told you that THORChain’s GG20 signature scheme was flawed… while that’s the basic premise… let’s give you a better picture…
To understand the flaw, you first have to understand the lock.
Let’s begin with answering the question… what’s a signature scheme?
In simple terms… it’s the set of mathematical rules a blockchain uses to prove ownership without revealing a secret… think of it like a personal, unbreakable seal.
In the world of Bitcoin or Ethereum, you use a secret private key to create a unique digital signature for a transaction… which anyone can verify with your public key.
It proves you authorized the transfer without ever exposing your secret key.
THORChain… being a more complex network… uses a “multi-signature” scheme called GG20, where control over funds is split among many different node operators.
It’s designed so that no single person, or server holds the key… instead, a majority must cooperate to create a valid signature.
The flaw wasn’t in the idea of sharing control… but in the execution.
The attacker found a way to trick the individual nodes into revealing tiny, harmless-seeming pieces of their shared secret.
It’s like if a dozen people were guarding a vault, and a thief tricked each one into giving up a single number of the combination… individually, the piece of information is useless… but when the thief collects them all, they have the full code and can walk right in.
This is what happened to THORChain’s GG20 scheme… the attacker collected enough leaked pieces to reconstruct the master key and unlock the vault.
Watch The Initial Report Of This Exploit On This Episode Of Matrix Money
THORChain’s Unfortunate History
So far in 2026, DeFi has been the focus of hackers… identifying vulnerable areas, and syphoning million in user funds.
These hacks have been so prevalent, that during a recent G7 meeting, a memorandum of concern was issued.
And this latest exploit on THORChain is just the latest in this list…
Moreover, for ThorChain… this isn’t an isolated incident… it’s a continuing pattern.
Now don’t misunderstand me… I actually LOVE ThorChain!
I have used… and will continue to use ThorChain… and frankly, I think that ThorChain is the fight direction for crypto’s DeFi space…
I have been promoting ThorChain since I first started talking about living on crypto.
But, since its inception, ThorChain has been a magnet for costly exploits.
You have to go back to 2021 to see the origins of this problem… that year alone, the protocol suffered two major hacks, one in April and another in July, resulting in the theft of millions in assets.
The cumulative losses from thefts since 2021 now approach a staggering $25 million.
The problems aren’t just coming from external sources… the protocol has faced internal crises too… like a critical bug in its validator software in October 2022 that halted the network for 20 hours by preventing nodes from reaching consensus.
This history of repeated failure isn’t a bug… it’s a feature of THORChain’s journey.
The “Break & Fix” Philosophy
So, after being hacked, losing millions, and halting its network for the fifth time… why would anyone trust it?
I would argue because of a radical… and some would say reckless philosophy… build in public… fail in public… and fix it in public.
THORChain treats its network as a live-fire exercise.
The economic recovery plan, known as ADR-028… sees the protocol itself absorb the losses through its own treasury before asking the community for reimbursement.
The May 2026 exploit has already sparked a critical debate about ditching its vulnerable GG20 scheme entirely in favor of a more robust framework.
As crazy as it may seem… each exploit seems to accelerate its development.
Since this exploit, the team is pushing forward to launch support for privacy coins like Monero and Zcash almost immediately after the restart.
Brilliant Resilience or Unacceptable Risk?
For some… I’m sure that THORChain is a paradox.
But, it’s one of the most battle-tested protocols in DeFi… having survived more catastrophic failures than almost any other.
It has a built-in mechanism for economic recovery and a community that seems to have an unshakeable appetite for risk.
But let me be clear… this is not a safe bet.
It’s a high-stakes gamble on a “break and fix” model that flies in the face of traditional security-first thinking.
Using THORChain today means accepting that another hack is not just possible… but probable.
The question you have to ask yourself is whether its resilience is a sign of a truly decentralized, anti-fragile system… or just a slow-motion car crash that we can’t look away from.
Either way, if you decide to use this protocol, use it the same way I tell you to use centralized exchanges… “use it like a public restroom… do your business… and get out.”
Disclaimer
The information provided here is for INFORMATIONAL & EDUCATIONAL PURPOSES ONLY!
View our complete disclaimer on our Disclaimer Page