THORChain, a decentralized exchange protocol between blockchains, submitted the v3.19.0 update to a vote of its validators on June 8, which includes security patches and an 11-step recovery plan.
The network has been down since May 15, when a malicious validator node drained $10.7 million in Bitcoin, Ethereum, BNB Chain, and Base assets, according to the postmortem published by THORChain.
According to the protocol, The attacker entered the network on May 13 as a legitimate node and participated for two days in routine signing operations using the GG20 cryptographic scheme — which allows multiple nodes to jointly sign transactions without any one possessing the full key. That access allowed him to reconstruct the private key of one of the protocol’s six Asgard vaults and execute unauthorized outbound transactions, affecting approximately 20% of the funds in active vaults. THORChain stated that user funds were not affected.
The v3.19.0 update incorporates patches to the threshold signature system (TSS) and implements ADR-028, designed to mitigate the economic impact of hacking. Its core component is the Compromised Vault mimir: a mechanism that allows the network to quarantine compromised vaults and prevent them from participating in transaction processing. Before resuming trading, validators will need to complete a temporary node-by-node shared key verification protocol, called keyverify.
The recovery plan published by THORChain contemplates the following sequential steps:
- Vote approval of v3.19.0.
- Update the network.
- Activate vault quarantine.
- Validate the ADR-028 migration
- Verify the keyshares of each node
- Resume signing.
- Start the churn.
- Wait for its completion.
- Unlock secured assets, liquidity and trading actions.
History of undisclosed vulnerabilities
The May hack occurred against a backdrop of previous signals about security flaws in the protocol. As reported by CriptoNoticias, the firm V12 Security revealed that it had identified a different critical vulnerability at the end of April —which allowed a single validator node to bypass the confirmation requirement and empty liquidity pools— and that THORChain applied the patch without public communication or reward payment, claiming that its vulnerability reporting program was “permanently retired.” The QED Audit firm reported a similar situation in January, after discovering two bugs that would have allowed the theft of more than USD 40 million: both were corrected in v3.15.0 also without compensation.
TRM Labs, a blockchain analysis firm specialized in tracking illicit funds in crypto networks, noted that THORChain has historically operated as an infrastructure to move stolen assets between chainshaving been used to launder funds from the Bybit hack (USD 1.5 billion, February 2025) and the KelpDAO hack (USD 300 million, April 2026). According to TRM Labs, the protocol resists bridging interdiction mechanisms used in other incidents and complicates forensic attribution flows by its native cross-chain conversion capability without intermediary assets.
The protocol’s core cryptographic library, tss-lib, was temporarily placed in closed source for the THORSec team to complete an internal audit without exposing remediation work, according to communicated the protocol on May 27. The reopening of operations is conditional on v3.19.0 Complete testnet testing before deploying on the main network, no confirmed date.