THORChain approves ADR028 after $10.7M exploit, moves toward restart

THORChain lost $10.7M from one of five vaults in a May 15 exploit, pushing the cross-chain protocol to halt trading and approve a recovery plan.

"Developers and security teams are still working to bring the network back online after the May 15 incident," THORChain said in its latest update, adding that the focus is on restoring the network safely "without rushing any steps."

Nodes have upgraded to v3.18.1, a patch that restores Rujira Network's ability to manage credit accounts. The next release, v3.19.0, is expected to move to stagenet by the end of the following day, though an exact timeline has not been confirmed. The official exploit report said a newly churned node operator entered the network two days before the exploit and used a GG20 Threshold Signature Scheme vulnerability to drain the affected vault.

The recovery plan uses protocol-owned liquidity first, with any remaining shortfall spread across synth holders — no new RUNE minting, no RUNE selling, and no holder dilution. With ADR028 approved, the attacker's node will be fully slashed, while innocent nodes in the same vault will be protected. Recovered RUNE will be paired with recovered assets from the affected vault, and any surplus will be burned.

Hacker bounty and security audit

The bounty window is now active, giving the attacker a chance to return part of the stolen funds. THORChain said final loss figures will be shared later. The protocol also moved tss-lib to closed source for a few weeks, giving THORSec time to complete a full security audit without exposing active remediation work. The repository will reopen after the audit is complete.

The exploit drew attention when blockchain investigator ZachXBT warned that losses could top $10M across Bitcoin, Ethereum, BSC, and Base. RUNE dropped sharply after the warning as users waited for clearer information. Early estimates placed the loss above $7.4M before updated tracking pointed to at least $10M stolen.

The restart process now carries two tests. The first is technical: developers need to confirm that patched releases can support safe network operations. The second is financial: the protocol must finalize loss coverage, bounty terms, and recovery figures without creating new RUNE supply.

This article is for informational purposes only and does not constitute investment advice.