THORChain is moving toward a network restart after a $10.7 million exploit, with node operators now voting on ADR028, a recovery proposal designed to absorb losses without minting new RUNE or diluting token holders.
THORChain Opens Vote on Recovery Plan
THORChain said node operators are voting on ADR028 following the May 15 exploit. The proposal outlines how the protocol could restart safely while leaving some final numbers open for later adjustment through Mimir governance.
According to the official exploit report, the attacker drained about $10.7 million from one of THORChain’s five vaults. The protocol said the attacker was a newly churned node operator who exploited a vulnerability in the GG20 Threshold Signature Scheme. The other four vaults were not affected.
ADR028 Avoids New RUNE Minting
Under the proposed recovery plan, protocol-owned liquidity would be used first to cover the loss. If any shortfall remains, it would be shared across synth holders.
Importantly, the plan says no new RUNE will be minted, no RUNE will be sold, and holders will not face dilution. Protocol-owned liquidity would be reduced to zero, while part of future system income would later be used to rebuild it.
THORChain also said the GG20 system must be patched and upgraded before trading resumes. The network will need a successful churn before normal operations can restart.
Security Response and Network Pause
The exploit report said automatic solvency checks detected the vault imbalance within minutes. Node operators then used manual pauses and Mimir votes to stop trading, signing, chain observation, and churning within about two hours of the community alert.
The fast pause helped limit the damage, but the incident still increased pressure on THORChain to prove that it can restart without exposing users to another attack.
DeFi Exploits Keep Pressure on Protocols
The THORChain incident comes during a difficult period for DeFi security. Recent attacks on Verus, KelpDAO, Drift Protocol, and other projects have shown how cross-chain systems and liquidity protocols remain major targets for hackers.
Reports also showed that crypto protocols lost hundreds of millions of dollars in April alone, with North Korea-linked groups responsible for a large share of global crypto hack losses in early 2026.
Attacker Faces Slashing and Bounty Offer
ADR028 proposes full slashing for the attacker’s node while protecting innocent nodes assigned to the same vault.
The proposal also offers the attacker a bounty if the stolen funds are returned. If the attacker returns part of the funds, the recovery plan would be reduced by the same share.
THORChain said it will remain neutral and permissionless, meaning the attacker’s swaps will not be censored once trading resumes.
Can THORChain Restore Confidence?
The vote gives node operators a clear path to approve the restart direction, but it does not finalize every detail.
The biggest test now is whether THORChain can patch the GG20 issue, restart trading safely, absorb losses without new RUNE, and rebuild user confidence after another high-profile DeFi exploit.
