THORChain team has announced that developers and the security team are still working hard to bring the network back online following the May 15 incident. In the latest update, the protocol emphasized the importance of securely restoring the network, stating, "there is no rush in any steps."
THORChain revealed that nodes have been upgraded to v3.18.1, which restores the ability to manage credit accounts on the Rujira network, including borrowing and repayment. The next steps involve trimming and testing v3.19.0, which is expected to include more changes before being pushed to the mainnet.
The protocol indicated that a version is expected to be released to stagenet within the next two days, but "the exact timeline is yet to be confirmed." Once the mainnet version is ready, node operators will be required to upgrade swiftly to ensure a secure restart of the network.
ADR028 Proposal Approved, Activating Hacker Bounty
The latest update mentioned that ADR028 has been approved by the nodes, pushing THORChain's recovery plan into the next phase. The proposal opened for voting after the incident and set the main recovery direction for the protocol.
With the approval of ADR028, THORChain stated that the bounty window has opened, giving attackers the opportunity to return a portion of the stolen funds. The protocol also mentioned plans to use the liquidity owned by the protocol to cover the remaining losses, with specific figures to be announced later.
The recovery plan also includes a comprehensive reduction of the attacker nodes. THORChain previously stated that innocent nodes within the same vault would be protected, while the recovered RUNE will be paired with the assets recovered from the affected vault. Any excess RUNE will be burned.
Security Audit to Make tss-lib Closed Source
THORChain also revealed that tss-lib will be closed source for several weeks to allow THORSec time to conduct a comprehensive security audit without exposing active remediation work. This decision marks a short-term change, as the protocol is built on open development principles. THORChain stated that the codebase will reopen once the audit is completed. This move is related to the security review following the GG20-related attack.
The official attack report noted that the automatic solvency checks detected imbalances in the vault within minutes. Node operators subsequently used manual pauses and Mimir governance voting to halt trading, signing, chain observation, and replacements within about two hours of the community alert.
THORChain's report also indicated that v3.18.1 was released as a precautionary measure to protect the remaining vaults, and the subsequent recovery path will depend on v3.19.0, node adoption, audit work, and follow-up governance.
DeFi News Attack Pressure Remains High
The same report noted a significant drop in RUNE prices.