THORChain is moving forward with its recovery plan after the $10.7 million vault exploit on May 15. Validators are now reviewing version 3.19.0, a software update that combines security patches with a loss-recovery framework. The protocol called it “the next major step” in a series of six incident updates.
Validators review THORChain v3.19.0
The update packages patches for the threshold signature system (TSS), which controls THORChain vaults. It also includes ADR-028, a governance plan approved after the exploit. Validators must vote before the network can start the staged upgrade.
Version 3.19.0 introduces a new Compromised Vault Mimir setting. Once enabled, it isolates a drained vault from transaction processing while keeping it visible to the network. This helps the protocol monitor any suspicious activity without stopping everything.
Keyshare checks come before signing resumes
After validators complete the upgrade, THORChain plans to validate the ADR-028 data migration. Every node must then run a temporary protocol called keyverify to check the integrity of its keyshares. Keyshares let validators sign vault transactions together without any single operator holding the full private key. This step aims to confirm that the remaining shares are undamaged.
If the checks pass, validators will unhalt signing and start a churn. Churning replaces the active validator set and moves assets into newly generated vaults. The network will wait for that process to finish before resuming other services.
ADR-028 covers losses without new $RUNE
As previously reported by crypto.news, THORChain validators approved ADR-028 in May. The plan uses protocol-owned liquidity to absorb losses first. Any remaining shortfall is distributed across synthetic asset holders. The framework does not mint or sell new $RUNE, avoiding direct dilution for existing holders. Future system income will help rebuild protocol-owned liquidity after the restart.
The protocol also activated a bounty window for the attacker and approved full slashing of the linked node. Innocent nodes that shared the affected vault are protected.
Full restart still depends on validators
The May 15 exploit drained about $10.7 million from one of THORChain’s five vaults. A newly added node exploited a weakness in the GG20 threshold signature implementation. Four other vaults remained untouched.
Automatic solvency checks caught the imbalance and halted signing within minutes. Node operators later paused trading, chain observation, and churning while developers investigated. Validator approval of v3.19.0 would begin the final technical sequence, but not all services will return at once. Secured and Trade assets will come first. Liquidity-provider actions follow. Trading resumes last, after completing vault, migration, keyshare, and churn checks.
