THORChain has taken a major step forward in its recovery after the May 15 exploit: nodes have approved ADR028, clearing the path for a controlled network restart while RUNE holders wait for a full mainnet push.
What happened
- On May 15, an attacker exploited a GG20 Threshold Signature Scheme vulnerability to drain one of THORChain’s five vaults. The protocol’s official report says the loss was about $10.7 million from that single vault; the other four vaults were not affected. Blockchain investigator ZachXBT earlier warned total losses could exceed $10 million across Bitcoin, Ethereum, BSC and Base, prompting a global emergency halt and a pause in trading.
- THORChain’s automatic solvency checks flagged the imbalance within minutes, and node operators used manual pauses and Mimir governance votes to halt trading, signing, chain observation and churning within roughly two hours of the community alert.
Technical progress
- Nodes have been upgraded to v3.18.1, an emergency patch that protects remaining vaults and restores Rujira Network’s credit-account functionality (borrowing and repayments).
- Developers are preparing v3.19.0 next; it will include additional fixes and hardening. THORChain expects that release to move to stagenet imminently (the team said “by the end of the following day,” but an exact timeline is not confirmed). Once a vetted mainnet build is ready, node operators will be asked to upgrade quickly to enable a safe restart.
ADR028 and the recovery plan
- ADR028—now approved by nodes—sets the protocol’s recovery direction. Crucially, the proposal restarts THORChain without minting new RUNE, selling protocol RUNE, or otherwise diluting holders.
- The plan prioritizes protocol-owned liquidity to cover losses first; any remaining shortfall would be allocated across synth holders. The bounty window is now open, giving the attacker an opportunity to return some of the stolen funds. THORChain says it will use protocol-owned liquidity to cover the rest, with final figures to be revealed later.
- The recovery also includes full slashing of the attacker’s node. THORChain has committed to protecting innocent nodes that shared the vault, pairing any recovered RUNE with recovered assets from the affected vault, and burning any surplus RUNE.
Security posture and audits
- In a temporary and notable shift from its usual open-source stance, THORChain has moved its tss-lib repository to closed source for a few weeks. The team says this allows THORSec to complete a full security audit without exposing active remediation work; the repo will be reopened after the audit finishes.
- v3.18.1 was pushed as an immediate precaution while the investigation continues. The longer recovery timeline will hinge on v3.19.0, node adoption of upgrades, audit results, and governance follow-through.
What’s next
THORChain faces two parallel tests: a technical one—validating that patched releases and updated nodes can sustain safe network operations—and a financial one—finalizing the loss coverage plan, bounty terms, and recovery numbers without issuing new RUNE. With ADR028 approved and the emergency fixes in place, the protocol has moved from crisis containment to an organized recovery phase, but a cautious, multi-step restart remains the priority.
Read more AI-generated news on: undefined/news
