THORChain Exploit Report Details $10.7M Vault Drain And ADR-028 Recovery Path

THORChain’s first post-incident breakdown gives the market a fuller account of the May 15 exploit that drained about $10.7 million from one protocol vault and forced emergency controls across the network. The update turns the earlier THORChain exploit alert into a more defined security case, with a named attack path, a clear response timeline and a recovery decision moving into governance through ADR-028.

The attacker was a newly churned node operator who entered the active validator set on May 13 with roughly 635,000 RUNE across two bond addresses. Two days later, the targeted vault was drained through unauthorized outbound transactions after the attacker allegedly reconstructed the vault private key and bypassed the normal GG20 signing ceremony. The loss figure was later revised from an initial estimate of about $7.4 million to roughly $10.7 million.

The incident did not affect the SOL pool, which uses EdDSA-based signing rather than the GG20 path named in the exploit analysis. Other vaults were also not drained. That distinction keeps the case focused on THORChain’s threshold-signature security layer, not on a compromise of every supported asset or a failure of the underlying chains connected to the protocol.

Security Layers Reacted, But After Funds Left

THORChain’s automatic solvency checks triggered within minutes after vault balances moved beyond expected levels. The reactive solvency system halted signing and trading across ETH, AVAX, BSC, BASE, DOGE and GAIA within about 52 minutes of the unauthorized transactions. The limit of that protection was timing: the attacker had already signed and broadcast transactions directly, leaving the checker to detect the imbalance after the vault had been hit.

Manual controls then turned the response into a broader network halt. Community alerts escalated at 09:08 UTC on May 15, node operators stacked one-hour pause windows, and Mimir governance votes activated network-wide emergency parameters. Trading, signing, chain observation and churning were halted through coordinated node action, with churning paused to stop the malicious node from leaving and to block additional suspicious churn during the investigation.

The immediate remediation path is patch v3.18.1, which was prepared to protect remaining vaults while the root-cause investigation continues. THORChain also warned users that there is no active refund, airdrop or compensation program, a necessary user-safety point as impersonation scams often appear around high-profile exploit recoveries.

ADR-028 Moves Recovery Into Governance

ADR-028 is now the main recovery track for the missing funds. Governance will decide whether losses are handled through bond slashing, protocol-owned liquidity, another recovery design or a blended approach. The selected plan is expected to be implemented through v3.19 after node operators reach broad consensus.

The governance route matters because the exploit hits the protocol’s balance sheet and security assumptions at the same time. Slashing would push losses toward node collateral tied to the affected vault, while protocol-owned liquidity would spread recovery through network resources. Any final design has to restore solvency without creating a weak precedent for future node behavior, liquidity provisioning or emergency coordination.

The next official disclosures now carry practical weight for users, liquidity providers and node operators: the final root-cause analysis, the v3.18.1 deployment status, the ADR-028 vote path, the chosen loss-absorption mechanism and the conditions for reopening normal THORChain activity. Until those items are settled, the exploit remains a live governance and security event rather than a closed postmortem.

The post THORChain Exploit Report Details $10.7M Vault Drain And ADR-028 Recovery Path appeared first on Crypto Adventure.