THORChain offers hacker bounty as restart vote opens
THORChain node operators are voting on ADR028, a recovery plan that would restart the network after a $10.7 million exploit without minting new RUNE.
Summary
- THORChain’s ADR028 plan would use protocol-owned liquidity first before sharing remaining losses with synth holders.
- The proposal avoids new RUNE minting, token sales, or holder dilution while node operators vote on recovery.
- Recent DeFi exploits add pressure on THORChain to restart safely after patching its GG20 vulnerability.
THORChain said node operators are now voting on ADR028 after the May 15 incident. The proposal sets the direction for recovery, while exact figures remain open to later changes through Mimir governance.
The official exploit report said the attacker drained about $10.7 million from one of five vaults. THORChain said the attacker was a newly churned node operator who exploited a GG20 Threshold Signature Scheme vulnerability. The other four vaults were not affected.
Recovery plan avoids new RUNE
Under ADR028, protocol-owned liquidity would absorb the loss first. Any remaining shortfall would then be shared across synth holders. THORChain said the split is still being reviewed and will be adjusted later.
The proposal says no new RUNE will be minted, no RUNE will be sold, and holders will not be diluted. Protocol-owned liquidity would be reduced to zero, with part of future system income redirected to rebuild it over time.
Moreover, THORChain said GG20 will stay in place for now, but it must be patched and upgraded before trading resumes. The network will also need a successful churn before normal activity returns.
The exploit report said automatic solvency checks detected the vault imbalance within minutes. Node operators then used manual pauses and Mimir votes to halt trading, signing, chain observation, and churning within about two hours of the community alert.
Recent DeFi exploits add pressure
The THORChain vote comes after earlier reports said the protocol halted trading when ZachXBT warned that losses could top $10 million across Bitcoin, Ethereum, BSC, and Base. Related coverage noted that RUNE fell after the alert as users waited for clearer details from protocol operators.
The incident also follows a busy period for crypto exploits. Recent reports said the Verus Ethereum bridge lost more than $11.5 million after attackers used a forged cross-chain transfer message. Security firms linked that exploit to missing validation checks in the bridge process.
April also showed how heavy the pressure on DeFi security has become. Crypto protocols lost more than $606 million in the first 18 days of April, led by the $292 million KelpDAO breach and the $285 million Drift Protocol exploit.
TRM Labs also reported that North Korea-linked actors drove about 76% of global crypto hack losses in the first four months of 2026. The firm put those losses at about $577 million through April.
Attacker faces slashing and bounty offer
ADR028 proposes full slashing for the attacker’s node. THORChain said innocent nodes assigned to the same vault would be protected. Recovered RUNE would be paired with any assets recovered from the affected vault, while surplus RUNE would be burned.
The proposal also offers the attacker a bounty to return the funds. If funds are returned in part, the recovery plan would roll back by the same share. THORChain also said the protocol will remain neutral and permissionless, meaning the attacker’s swaps will not be censored once trading resumes.
The vote now gives node operators a path to approve the recovery direction. It does not finalize every number. The main test is whether THORChain can restart safely, absorb losses without new RUNE, and restore confidence after another high-profile DeFi exploit.
