THORChain has entered a critical phase of its recovery after the May 15 exploit that drained about $10.7 million from one of the protocol’s five vaults. Validators are now reviewing version 3.19.0 — a combined release of security fixes for the threshold signature system (TSS) and the previously approved ADR-028 loss-recovery plan — that will kick off an 11-step, staged restart of the network.
What’s in v3.19.0
- TSS patches addressing the GG20 threshold signature weakness that the attacker exploited via a newly added node.
- ADR-028 implementation, the governance-approved framework that determines how losses are absorbed and how the network rebuilds.
- A new “Compromised Vault” Mimir setting that can quarantine an affected vault: it prevents that vault from processing transactions while keeping its activity visible to the network for audit and monitoring.
The phased technical sequence
Validators must vote to approve v3.19.0 before the staged restart can begin. THORChain’s recovery roadmap calls for a series of checks and operations designed to secure funds and restore services without exposing further risk:
1. Validators install the upgrade and validate the ADR-028 data migration.
2. Every node runs a temporary “keyverify” protocol to check the integrity of keyshares — the split-signature pieces that let multiple validators sign together without any single operator holding the full private key.
3. Once keyshares are confirmed intact, signing is unhalted and the network initiates a churn, replacing the active validator set and migrating assets into newly generated vaults.
4. Services are resumed in stages: secured and trade assets come back first, liquidity-provider functions follow, and trading is the last service to be restored — all contingent on successful completion of prior steps.
Loss-recovery and protections
ADR-028, which validators approved in May, uses protocol-owned liquidity (POL) to absorb losses before applying any shortfall across synthetic asset holders. The plan explicitly avoids minting or selling new RUNE and does not directly dilute existing holders; future system income will be used to rebuild POL after the restart.
Additional measures
- A bounty window has been opened for the attacker to return funds.
- The node linked to the exploit has been fully slashed; THORChain says innocent nodes that shared the affected vault are being protected.
- Automatic solvency checks detected the imbalance during the attack and halted signing within minutes. Node operators subsequently paused trading, chain observation and churning while developers investigated.
Context and next steps
Only one of THORChain’s five vaults was drained in the May 15 exploit; the other four remained unaffected. Validator approval of v3.19.0 would launch the final technical sequence described above but will not bring the network straight back to full functionality — services will be carefully and sequentially restored as each security and integrity check completes.
The community and observers will be watching validator votes and the churn process closely in coming days as THORChain aims to move from incident response to safe, staged recovery.
Read more AI-generated news on: undefined/news
