THORChain said developers and security teams are still working to bring the network back online after the May 15 incident.
summary
- THORChain nodes approved ADR028, bringing the network closer to a phased restart after the exploit.
- The hacker bounty is now active, while liquidity owned by the protocol is expected to cover remaining losses.
- Developers are preparing to test version 3.19.0 with tss-lib entering a temporary closed security audit period.
In its latest update, the protocol said the focus is on restoring the network safely, “without rushing any steps.”
The update comes after the official THORChain exploit a report She said the network lost about $10.7 million from one of the five safes. The operator of the newly compromised node entered the network two days before the exploit and used the GG20 Threshold Signature Scheme vulnerability to drain the affected vault, the report said. The remaining four safes were not affected.
THORChain said the nodes have been upgraded to version 3.18.1, a patch that also restores the Rujira Network’s ability to manage credit accounts, including borrowing and repayment. The next step is to tear and test version 3.19.0, which will include more changes before any mainnet push.
The release is expected to move to Stagenet by the end of the next day, the protocol said, but added that “the exact timeline has not yet been confirmed.” Once the mainnet version is ready, node operators will be required to quickly upgrade so that the network can restart safely.
ADR028 approval activates hacker bounty
The latest update said that the contract has been approved for ADR028, taking THORChain’s recovery plan to its next stage. The proposal was opened to a vote after the incident and set the main recovery direction for the protocol.
Ditto I mentioned By crypto.news, ADR028 is designed to restart THORChain after an exploit without minting new RUNEs, selling RUNEs, or diluting holders. The plan uses the protocol’s owned liquidity first, with any remaining shortfall distributed to token holders.
With ADR028 now approved, THORChain said the reward window is active. This gives the attacker an opportunity to return part of the stolen funds. The protocol also said that it plans to cover the remaining loss using the protocol’s owned liquidity, though final numbers will be shared later.
The recovery plan also includes complete severing of the attacker’s node. THORChain previously said that innocent nodes in the same vault will be protected, while recovered RUNE will be paired with assets recovered from the affected vault. Any excess rune will be burned.
Security audit moves tss-lib behind closed doors
THORChain also said that tss-lib has been moved to closed source for a few weeks. The move gives THORSec time to complete a full security audit without revealing active remediation work, the protocol said.
This decision represents a short-term shift for a protocol built on open development. THORChain said the warehouse will reopen after the audit is completed. This step is related to the post-exploit security review related to GG20.
The official exploitation report said automatic solvency checks detected a treasury imbalance within minutes. Node operators then used manual pausing and Mimir governance votes to stop trading, signing, monitoring the chain, and changing within approximately two hours of the community being alerted.
The THORChain report also stated that version 3.18.1 was released as an immediate precaution to protect the remaining vaults while the investigation continues. The longer recovery path will now depend on the 3.19.0 release, node approval, audits, and governance follow-up.
DeFi exploit pressure remains high
The THORChain incident first attracted wider attention when blockchain investigator ZachXBT warned that losses could exceed $10 million across Bitcoin, Ethereum, BSC, and Base. Crypto news I mentioned On May 15, THORChain temporarily suspended trading and used a global emergency halt after an exploit alert spread online.
The same report noted that RUNE declined sharply following the warning as users were waiting for clearer information from the protocol’s operators. Initial estimates put the loss at more than $7.4 million, before updated tracking indicated at least $10 million had been stolen.
The restart process now includes two tests. The first is technical: developers need to ensure that patched versions can support secure network operations. The second is financial: the protocol must finalize loss coverage, bonus conditions and payback numbers without creating new RUNE supplies.
