THORChain said developers and security teams are still working to bring the network back online after the May 15 incident.
In its latest update, the protocol said the focus is on restoring the network safely, “without rushing any steps.”
The update comes after THORChain’s official exploit report said the network lost about $10.7 million from one of five vaults. The report said a newly churned node operator entered the network two days before the exploit and used a GG20 Threshold Signature Scheme vulnerability to drain the affected vault. The remaining four vaults were not affected.
THORChain said nodes have upgraded to v3.18.1, a patch that also restores Rujira Network’s ability to manage credit accounts, including borrowing and repayments. The next step is cutting and testing v3.19.0, which will include more changes before any mainnet push.
The protocol said the release is expected to move to stagenet by the end of the following day, but added that an “exact timeline is yet to be confirmed.” Once the mainnet version is ready, node operators will be asked to upgrade quickly so the network can restart safely.
ADR028 approval activates hacker bounty
The latest update said ADR028 has been approved by nodes, moving THORChain’s recovery plan into its next phase. The proposal had opened for voting after the incident and set the main recovery direction for the protocol.
THORChain Incident Update #5
The devs and security teams are working hard to bring the network safely back online. The focus is on getting this right, without rushing any steps. Security and stability remain the top priorities.Nodes have upgraded to v3.18.1, which contained a…
— THORChain (@THORChain) May 27, 2026
As previously reported by crypto.news, ADR028 was designed to restart THORChain after the exploit without minting new $RUNE, selling $RUNE, or diluting holders. The plan uses protocol-owned liquidity first, with any remaining shortfall spread across synth holders.
With ADR028 now approved, THORChain said the bounty window is active. That gives the attacker a chance to return part of the stolen funds. The protocol also said it plans to cover the remaining loss using protocol-owned liquidity, though final figures will be shared later.
The recovery plan also includes full slashing of the attacker’s node. THORChain previously said innocent nodes that were in the same vault would be protected, while recovered $RUNE would be paired with recovered assets from the affected vault. Any surplus $RUNE would be burned.
Security audit shifts tss-lib behind closed doors
THORChain also said tss-lib has been moved to closed source for a few weeks. The protocol said the move gives THORSec time to complete a full security audit without exposing active remediation work.
That decision marks a short-term shift for a protocol built around open development. THORChain said the repository will reopen after the audit is complete. The move is tied to the security review after the GG20-related exploit.
The official exploit report said automatic solvency checks detected the vault imbalance within minutes. Node operators then used manual pauses and Mimir governance votes to stop trading, signing, chain observation, and churning within about two hours of the community alert.
THORChain’s report also said v3.18.1 was released as an immediate precaution to protect remaining vaults while the investigation continues. The longer recovery path will now depend on v3.19.0, node adoption, audit work, and governance follow-through.
DeFi exploit pressure remains high
The THORChain incident first drew wider attention when blockchain investigator ZachXBT warned that losses could top $10 million across Bitcoin, Ethereum, BSC, and Base. Crypto.news reported on May 15 that THORChain paused trading and used a global emergency halt after the exploit alert spread online.
The same report noted that $RUNE dropped sharply after the warning as users waited for clearer information from protocol operators. Early estimates placed the loss above $7.4 million, before updated tracking pointed to at least $10 million stolen.
The restart process now carries two tests. The first is technical: developers need to confirm that the patched releases can support safe network operations. The second is financial: the protocol must finalize loss coverage, bounty terms, and recovery figures without creating new $RUNE supply.