THORChain network restart goes to the polls as node operators vote on ADR028

THORChain has opened a governance vote for node operators on its path to restarting operations after the May 15 exploit that drained approximately $10.7 million from a single vault.

The proposal, which was called ADR-028 lays out how the network would absorb losses and resume operations.

Which vulnerabilities led to the THORChain exploit?

A malicious actor had reportedly joined the network as a node operator two days before the attack. They then went on to exploit a flaw in THORChain’s GG20 threshold signature scheme (TSS), a cryptographic system that distributes vault key control across multiple independent nodes so no single operator ever holds the full private key.

Only one out of five vaults was affected, with security firm PeckShieldAlert estimating the haul at roughly $10 million, which was split between 36.75 BTC (around $3 million at the time) and approximately $7 million in assets across Ethereum, BNB Chain, and Base. THORChain’s own post-incident analysis put the figure at $10.7 million.

The protocol stated that the attack was spotted within minutes and chain-level trading halts were triggered with node operators staking manual pauses through its governance system, leading to total lockdown of the network within roughly two hours of the alarm.

RUNE, THORChain’s native token, dropped more than 21% in the days following the breach. It currently trades around $0.44 according to CoinMarketCap data.

What does ADR-028 propose?

ADR-028 was published by THORChain on GitLab with a vote opening for node operators. The protocol’s post on X stated the recovery plan would have THORChain “absorb the loss first through Protocol-Owned Liquidity,” adding that the rest of the loss would be spread across synth holders.

This means that the protocol-owned liquidity will be reduced to zero, and THORChain states that “the ADR proposes to redirect a portion of system income to replenish it over time.”

It stated that GG20 has been patched and upgraded, adding that nodes that are not linked to the attacker but affected by it due to being in the same vault would not be slashed. It also proposes that the attacker be offered 10% of the bounty to return the funds.

On GitLab, a commenter using the handle gave their feedback on the proposal, raising two points.

One of them was to strip the attacker bounty section from the ADR, stating that it should be handled through forensics and law enforcement. The second point pushed for a permanent allocation of system revenue toward external security audits, adversarial review of the TSS layer, and a funded bug bounty program with release gates tied to it.

“As written, the plan rebuilds one vault’s liquidity but does not yet fund anything against recurrence,” the commenter wrote on the GitLab snippet. “Worth fixing the cause alongside the balance sheet.”

The attacker’s trail

Blockchain analytics firm Chainalysis published on-chain evidence on May 16 connecting the attacker to wallets that were funded weeks before the theft. The firm traced the attacker’s movements through Monero, Hyperliquid, and THORChain itself.

One wallet deposited XMR through a Hyperliquid-Monero privacy bridge in late April, swapped the resulting position for USDC, then withdrew to Arbitrum and bridged to Ethereum. An intermediary then forwarded 8 ETH into the attacker’s receiving wallet just 43 minutes before stolen funds arrived, per Chainalysis.

What will happen to THORChain now? 

The node operator’s vote on ADR-028 will determine whether THORChain restarts under the proposed recovery framework or requires further revisions. 

THORChain had already identified a more modern signature scheme called DKLS as its long-term replacement for GG20 and had engaged Silence Labs in November 2025 to build a custom implementation, with delivery targeted for Q1 or Q2 2026, according to the exploit report.

If you're reading this, you’re already ahead. Stay there with our newsletter.