THORChain Restart Vote Opens as ADR028 Sets Exploit Recovery Path
Highlights:
- THORChain node operators are voting on ADR028 after the May 15 vault exploit.
- ADR028 uses protocol-owned liquidity first before sharing losses with synth holders.
- The plan avoids new RUNE minting, forced sales, and holder dilution.
THORChain node operators have started voting on ADR028, a restart plan after the May 15 vault exploit. The proposal gives the network a route back to normal activity, although it leaves final figures for later governance. According to the official incident report, the attacker drained about $10.7 million from one of five vaults. The other four vaults avoided losses, while contributors traced the attack to a GG20 threshold signature weakness.
Advertisement
The report said the attacker likely joined as a newly churned node operator before exploiting the vault. Automatic solvency checks flagged the imbalance within minutes. Then, node operators used pauses and Mimir votes to halt trading, signing, chain observation, and churning. The network reached those pauses within two hours after the community alert.
THORChain Recovery Plan Avoids Fresh RUNE Supply Pressure
ADR028 puts protocol-owned liquidity at the front of the recovery plan. Under this structure, the protocol absorbs losses before synth holders take any remaining shortfall. However, contributors still need Mimir governance to settle the exact split. The proposal also reduces protocol-owned liquidity to zero, then rebuilds it gradually through future system income.
The plan will not involve new RUNE creation, forced token sales, or holder dilution. Instead, it redirects future revenue toward repair but maintains the token supply unchanged. Additionally, the document gives the attacker a white-hat route to return funds for a bounty. If the attacker returns only part of the assets, the recovery adjustments roll back by share.
THORChain Incident Update #4
Following the events of May 15th, the community has been hard at work defining a path forward. ADR028 is now published and a vote is open for Node Operators.🔹 The Recovery Plan 🔹
The protocol will absorb the loss first through Protocol-Owned…— THORChain (@THORChain) May 22, 2026
ADR028 also outlines the slashing approach. The attacker’s node faces full penalties, while innocent nodes in the affected vault avoid punishment. Recovered RUNE would pair with recovered external assets from the vault. After that, any surplus RUNE would go to a burn, according to the proposal.
Security Fixes Come Before Trading Returns
Developers plan to keep GG20 for now, but only after patches and upgrades. Trading and sensitive action will resume after the vulnerability fix and a successful validator churn. As a result, both the governance support and technical readiness are essential for a restart. Slower releases are also part of the plan, with security becoming more important than faster feature shipping.
THORChain also plans a slower release schedule after the suspected TSS-related exploit. Developers now want stability and security to guide future updates. Additionally, the protocol says it will remain neutral and permissionless after the attack. The proposal says the attacker’s swaps will not face censorship once trading resumes.
Recent Hacks Keep Pressure on DeFi Security
The vote arrives during a difficult stretch for DeFi security. On May 18, Verus Ethereum bridge lost more than $11.5 million after attackers used a forged cross-chain transfer message. Security firms linked that case to missing validation checks. The hacker has, however, returned 4,052.4 ETH worth $8.5M after being offered a bounty worth 1,350 ETH.
#PeckShieldAlert The @veruscoin Bridge exploiter has returned 4,052.4 $ETH (~$8.5M) to the team address: 0xF9AB…C1A74.
The returned funds represent 75% of the stolen total, leaving a 25% bounty (1,350 $ETH, ~$2.8M) in the exploiter's wallet. https://t.co/ZFIqnHBwZk pic.twitter.com/vPsiOigyQ5
— PeckShieldAlert (@PeckShieldAlert) May 22, 2026
On May 19, Echo Protocol suspended cross-chain activity after an incident affected its Monad bridge. PeckShield and Lookonchain said the Echo attacker minted 1,000 unauthorized eBTC tokens. Monad CEO Keone Hon said the network stayed safe, with losses near $816,000. April also brought heavy losses, as protocols lost more than $606 million in the first 18 days alone. KelpDAO and Drift Protocol made up most of that damage.
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
Raymond Munene
Raymond Munene is a crypto content writer who contributes to Crypto2Community. With over three years of experience, he is interested in Bitcoin, Blockchain, and Technical Analysis. Focusing on daily market analysis, his research helps traders and investors alike. His particular interest in cryptocurrency and blockchain aids his audience.
View full profile ›ℹ️About Crypto2Community's Editorial Process
Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
