THORChain Unveils May 15 Exploit Recovery Plan; Node Operator Vote Underway

THORChain has published its fourth update on the May 15 attack, releasing recovery proposal ADR028 and opening voting to node operators. Under the proposed plan, the protocol would first cover losses using its own liquidity. Any remaining shortfall would be allocated to synthetic asset holders, with the split between protocol liquidity and synth holders still being assessed. Protocol-owned liquidity would be drawn down to zero and rebuilt gradually from system revenues. THORChain said the approach does not require minting or selling additional RUNE and would not dilute holders. On the technical front, GG20 has been temporarily kept in place with patches applied. Trading is expected to resume once the vulnerability is fully remediated and a node rotation is successfully completed. Future releases will follow a slower, more security-focused schedule. THORChain said non-malicious nodes that happened to be in the same vault as the attacker will be protected, while the attacker's nodes will be fully slashed. Any recovered RUNE will be paired with recovered assets, and any excess will be burned. The protocol also said it has offered the attacker a bug bounty in exchange for returning funds; if partial restitution occurs, the recovery plan would be adjusted proportionally. THORChain emphasized it remains neutral and permissionless, and once trading reopens it will not censor swaps originating from the attacker. Node operators are currently voting on the proposal's direction. THORChain noted that figures in ADR028 are indicative and may be adjusted later via Mimir.