THORChain, the cross-chain decentralized exchange protocol, has taken another step toward a safe restart after a $10.7 million exploit on May 15. In its Incident Update #5 on May 27, the protocol confirmed that node operators approved governance proposal ADR028, unlocking a hacker bounty and outlining a recovery plan that does not involve minting new RUNE tokens or diluting existing holders.
The exploit exploited a GG20 Threshold Signature Scheme vulnerability via a newly churned node, draining one of five vaults. Automatic solvency checks detected the imbalance within minutes, and node operators enacted manual pauses and governance votes to halt trading and other functions within two hours. In response, nodes upgraded to v3.18.1, a patch that also restores Rujira Network’s ability to manage credit accounts—namely borrowing and repayments—which had been offline since the attack.
With ADR028 now live, the bounty window is open, giving the attacker a chance to return part of the stolen funds. Any remaining shortfall will be covered using protocol-owned liquidity, with full slashing of the attacker’s node. Innocent nodes in the same vault will be protected, and any surplus RUNE will be burned.
The team is now cutting v3.19.0, the version expected to restore full swap activity. Additional changes are being folded in, and stagenet testing is tentatively slated for the end of May 28, though no hard timeline is set. Once the mainnet release is validated, all node operators will be asked to upgrade quickly to minimize downtime.
Separately, tss-lib—the core cryptographic library at the center of the GG20 vulnerability—has been temporarily closed-sourced for a few weeks. THORSec is conducting a full security audit, and the repository will reopen once remediation is complete. The temporary shift from open development is described as a deliberate precaution to avoid exposing active work to further risk.
Independent observers have praised the methodical response, noting that most protocols never recover from exploits of this magnitude. Still, two tests remain: the technical stability of v3.19.0 and the final financial settlement, which must be achieved without creating new supply. Whether the hacker will engage with the bounty remains the biggest unknown.
