Network Operators Greenlight Key Protocol Upgrade Following Multimillion-Dollar Security Breach, Paving Way for Native Token Relaunch

The governance vote passed on 27 May 2026, approving ADR028 as the primary recovery strategy following THORChain's May 15 exploit. ADR028 authorises a phased restart without issuing or selling new RUNE tokens. The approach preserves existing holder value. Nodes had already upgraded to v3.18.1, a patch that addresses the vulnerability and reinstates Rujira Network's credit account capabilities. The protocol confirmed a hacker bounty window is now open, giving the attacker an opportunity to return a portion of the stolen assets voluntarily.

A GG20 Threshold Signature Scheme flaw let a new node drain $10.7 million from one vaultTHORChain's official exploit report confirmed a loss of approximately $10.7 million from one of five active vaults on 15 May 2026. A newly added node operator exploited a GG20 Threshold Signature Scheme (TSS) vulnerability. The attacker drained the compromised vault two days after joining the network. The four remaining vaults were unaffected. Automated solvency checks identified the imbalance within minutes. Node operators then initiated manual pauses and governance votes to halt trading, signing, and chain observation within approximately two hours of the alert.

"The priority is to get this right, without rushing any steps. Security and stability remain paramount.", 27 May 2026.

— THORChain, Official Protocol Account 

Protocol-owned liquidity covers losses first, with any shortfall spread across synthetic holdersUnder ADR028, THORChain plans to deploy protocol-owned liquidity as the primary source of loss coverage. Any remaining shortfall will be distributed across synthetic asset holders. The attacker's node faces full slashing; innocent nodes associated with the same vault remain protected. Recovered RUNE will be paired with assets recovered from the affected vault, and any excess RUNE will be burnt. The protocol stated it will finalise loss coverage figures once bounty outcomes and audit progress are confirmed.

Developers are testing v3.19.0 as tss-lib enters a closed security auditThe team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. THORChain's official exploit report confirmed a loss of approximately $10.7 million from one of five active vaults on 15 May 2026. A newly added node operator exploited a GG20 Threshold Signature Scheme (TSS) vulnerability. The attacker drained the compromised vault two days after joining the network. The four remaining vaults were unaffected. Automated solvency checks identified the imbalance within minutes. Node operators then initiated manual pauses and governance votes to halt trading, signing, and chain observation within approximately two hours of the alert.

"The priority is to get this right, without rushing any steps. Security and stability remain paramount.", 27 May 2026.

— THORChain, Official Protocol Account 

Protocol-owned liquidity covers losses first, with any shortfall spread across synthetic holdersUnder ADR028, THORChain plans to deploy protocol-owned liquidity as the primary source of loss coverage. Any remaining shortfall will be distributed across synthetic asset holders. The attacker's node faces full slashing; innocent nodes associated with the same vault remain protected. Recovered RUNE will be paired with assets recovered from the affected vault, and any excess RUNE will be burnt. The protocol stated it will finalise loss coverage figures once bounty outcomes and audit progress are confirmed.

Developers are testing v3.19.0 as tss-lib enters a closed security auditThe team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. "The priority is to get this right, without rushing any steps. Security and stability remain paramount.", 27 May 2026.

— THORChain, Official Protocol Account 

Protocol-owned liquidity covers losses first, with any shortfall spread across synthetic holdersUnder ADR028, THORChain plans to deploy protocol-owned liquidity as the primary source of loss coverage. Any remaining shortfall will be distributed across synthetic asset holders. The attacker's node faces full slashing; innocent nodes associated with the same vault remain protected. Recovered RUNE will be paired with assets recovered from the affected vault, and any excess RUNE will be burnt. The protocol stated it will finalise loss coverage figures once bounty outcomes and audit progress are confirmed.

Developers are testing v3.19.0 as tss-lib enters a closed security auditThe team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. Protocol-owned liquidity covers losses first, with any shortfall spread across synthetic holdersUnder ADR028, THORChain plans to deploy protocol-owned liquidity as the primary source of loss coverage. Any remaining shortfall will be distributed across synthetic asset holders. The attacker's node faces full slashing; innocent nodes associated with the same vault remain protected. Recovered RUNE will be paired with assets recovered from the affected vault, and any excess RUNE will be burnt. The protocol stated it will finalise loss coverage figures once bounty outcomes and audit progress are confirmed.

Developers are testing v3.19.0 as tss-lib enters a closed security auditThe team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. Under ADR028, THORChain plans to deploy protocol-owned liquidity as the primary source of loss coverage. Any remaining shortfall will be distributed across synthetic asset holders. The attacker's node faces full slashing; innocent nodes associated with the same vault remain protected. Recovered RUNE will be paired with assets recovered from the affected vault, and any excess RUNE will be burnt. The protocol stated it will finalise loss coverage figures once bounty outcomes and audit progress are confirmed.

Developers are testing v3.19.0 as tss-lib enters a closed security auditThe team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. The team is preparing v3.19.0, which incorporates additional changes beyond the v3.18.1 patch, for stagenet testing ahead of any mainnet deployment. THORChain moved the tss-lib library to closed source temporarily. This allows THORSec to conduct a comprehensive security audit without exposing ongoing remediation work. The repository plans to reopen after the audit concludes. No exact restart date has been confirmed; the protocol stated it is prioritising a safe return over a fast one. Cryptocurrencies are highly volatile and involve significant risk. You may lose part or all of your investment. All information on Coinpaprika is provided for informational purposes only and does not constitute financial or investment advice. Always conduct your own research (DYOR) and consult a qualified financial advisor before making investment decisions. Coinpaprika is not liable for any losses resulting from the use of this information.