Headline: THORChain opens restart vote after $10.7M exploit — recovery plan avoids minting new RUNE
THORChain node operators have opened a vote on ADR028, a recovery framework to restart the network after a May 15 exploit that drained roughly $10.7 million from one vault. The proposal lays out how the protocol would absorb losses and resume operations without minting new RUNE, while finer details would be set later via Mimir governance.
What happened
- An attacker — identified as a newly churned node operator — exploited a vulnerability in THORChain’s GG20 Threshold Signature Scheme and drained one of five vaults. The other four vaults were not affected.
- Automatic solvency checks flagged the imbalance within minutes. Node operators used manual pauses and Mimir votes to halt trading, signing, chain observation and churning within about two hours of the alert.
- Earlier public warnings from security researcher ZachXBT prompted the protocol to halt trading amid expectations losses could exceed $10 million across chains including Bitcoin, Ethereum, BSC and Base. RUNE’s price fell as users awaited clarity.
Key points of ADR028
- No new RUNE will be minted, no RUNE sold, and holders will not be diluted.
- Protocol-owned liquidity (POL) would absorb the loss first; POL would be reduced to zero and rebuilt over time by redirecting a portion of future system income.
- Any remaining shortfall would be shared across synth holders; the exact split is still under review and may be adjusted through Mimir governance.
- The attacker’s node would face full slashing; innocent nodes assigned to the same vault would be protected.
- Recovered RUNE will be paired with any recovered assets from the affected vault; surplus RUNE will be burned.
- An attacker bounty is offered to incentivize return of funds; if funds are returned partially, the recovery plan would roll back proportionally.
- GG20 will remain in use for now but must be patched and upgraded before trading resumes. A successful churn will also be required before normal activity returns.
- THORChain will remain neutral and permissionless — the protocol says it will not censor the attacker’s swaps when trading restarts.
Broader context
The THORChain incident is the latest in a wave of high-profile DeFi breaches. Recent incidents include a Verus Ethereum bridge loss of about $11.5 million caused by a forged cross-chain message, and two massive April exploits that contributed to protocols losing more than $606 million in the first 18 days of that month (notably KelpDAO and Drift Protocol). TRM Labs reported that actors linked to North Korea accounted for roughly 76% of global crypto hack losses in the first four months of 2026, estimating about $577 million lost through April.
What’s next
The ADR028 vote gives node operators a path to approve the recovery direction but does not lock in every number — those specifics can be revised through Mimir governance. The key tests going forward are whether THORChain can: safely restart, absorb the loss without issuing new RUNE, patch GG20 and complete a secure churn, and ultimately restore user confidence after another major DeFi exploit.
Read more AI-generated news on: undefined/news
