THORChain has entered the next phase of recovery following the May 15 vault exploit.
Validators are now reviewing version 3.19.0, which combines security patches with the ADR-028 loss recovery plan.
The release also introduces a mechanism that can quarantine a compromised vault. THORChain said this would prevent an affected vault from processing transactions, while keeping its activity visible to the network.
Validators review THORChain v3.19.0
“The next major step in the recovery process is now underway,” THORChain said in its sixth incident update. Validators must vote to approve v3.19.0 before the network can begin the phased upgrade.
THORChain Incident Update #6
The next big step in the recovery process is now underway. Validators are asked to review, approve and prepare the v3.19.0 upgrade, which includes the TSS security patches and ADR028 implementation, designed to address the economic impact…
— THORChain (@THORChain) June 8, 2026
The release includes patches for the threshold signature system used to control THORChain vaults. It also implements ADR-028, the governance plan adopted after the exploit. The protocol said the upgrade would bring the network closer to restoring normal operations.
Version 3.19.0 includes a new Compromised Vault Mimir setting. Once enabled, the setting will isolate the empty vault from transaction processing without removing it from network monitoring.
Keyshare checks come before signing resumes
THORChain plans to validate the ADR-028 data migration after validators complete the upgrade. Each node must then verify the integrity of its key shares via a temporary protocol called keyverify.
Keyshares allows validators to co-sign vault transactions without one operator holding the entire private key. The added check is intended to confirm that the remaining shares are intact before restarting the signing.
After these checks, validators will stop the signing and start a churn. Churning replaces the active validator set and transfers assets to newly generated vaults. The network waits for that process to complete before restoring other services.
Secured and trading assets will return first. Actions from liquidity providers will follow, while trading will resume at the end of the eleven-step process. Each stage is dependent on successful completion of the previous checks.
ADR-028 covers losses without new ones $RUNE
As previously reported by crypto.news, THORChain validators approved ADR-028 in May. The plan uses liquidity held by the protocol to absorb losses before allocating any remaining shortfalls to synthetic asset holders.
The framework does not mint or sell new ones $RUNE. It also avoids immediate dilution for existing holders. Future system revenues will help rebuild the protocol’s liquidity after the restart.
THORChain also triggered a bounty window for the attacker and approved the complete severing of the linked node. The protocol said innocent nodes sharing the affected vault would remain protected.
Full restart still depends on validators
The May 15 exploit removed approximately $10.7 million from one of THORChain’s five vaults. THORChain’s report states that a newly added node exploited a weakness in the GG20 threshold signature implementation. Four other vaults remained untouched.
Automatic solvency checks detected the imbalance and stopped the signing within minutes. Node operators later halted trading, chain observation, and churning while developers investigated the attack.
Validator approval of v3.19.0 would trigger the final technical sequence, but it wouldn’t restore every service at once. THORChain will reopen signing, asset functions, liquidity actions and trading in stages after completing the vault, migration, key share and churn checks.