THORChain is entering a critical phase of its recovery process following the May security incident, with validators now reviewing and preparing to approve the protocol’s v3.19.0 upgrade aimed at restoring normal network operations.
In its latest Incident Update 6, the protocol said the proposed release contains TSS security patches and the implementation of ADR028, a governance proposal designed to address both the technical and economic impact of the exploit.
According to THORChain, one of the most significant additions in the upgrade is a new mechanism that enables the network to quarantine compromised vaults. This feature is intended to prevent affected vaults from participating in transaction processing while maintaining full transparency over their activity.
Validators prepare for recovery vote
The recovery plan outlines a multi-step process that begins with validator approval of version 3.19.0.
If approved, node operators will upgrade the network before activating the compromised-vault mechanism, validating the ADR028 store migration, and verifying node keyshares through a temporary key verification protocol.
After these checks are completed, THORChain plans to gradually resume network functions, including signing operations, validator churn, secured assets, trading services, and liquidity provider actions.
“Validators are being asked to review, approve, and prepare for the v3.19.0 upgrade,” the team said, adding that the release represents the next major milestone in bringing the network back online safely.
Recovery Efforts Build on Earlier Governance Proposal
The latest update follows several weeks of development and governance discussions after the exploit that occurred on May 15.
In Incident Update 5, released on May 27, the team confirmed that nodes had upgraded to v3.18.1, which restored certain functionalities and included security patches while developers continued testing version 3.19.0.
The protocol also noted that ADR028 had been approved by node operators, activating a bounty program that provides the attacker with an opportunity to return a portion of the stolen funds. THORChain stated that any remaining losses would be covered through Protocol-Owned Liquidity.
Earlier, in Incident Update 4 published on May 22, the protocol detailed a broader recovery framework that proposed absorbing losses through a combination of Protocol-Owned Liquidity and system adjustments without minting new RUNE tokens or diluting existing holders.
The proposal also outlined protections for innocent validators that happened to share infrastructure with the attacker while calling for the malicious node to be fully slashed.
Security Remains Top Priority
THORChain developers emphasized throughout the recovery process that network security remains the primary focus.
As part of the remediation effort, the protocol temporarily moved parts of its TSS infrastructure to closed source to allow security teams to conduct a comprehensive audit without exposing ongoing fixes.
The team stated that trading and other network services will only resume after the vulnerability has been fully patched and a successful validator churn has been completed.
Hack Revived Debate Over Recovery Options
The incident has also renewed discussion around how decentralized protocols should handle major security breaches.
Notably, the exploit occurred shortly after community discussions around a recovery plan highlighted difficult choices between slashing validator bonds, using protocol-owned reserves, and implementing governance-led compensation mechanisms.
Earlier reports surrounding the incident suggested that THORChain’s governance was evaluating whether losses should primarily be absorbed through node bond slashing or the deployment of protocol-owned liquidity reserves. The final ADR028 framework ultimately favored using protocol resources to stabilize the network while avoiding dilution of RUNE holders.
Network Restart Hinges on Validator Approval
With the upgrade package now ready, the next phase depends on validator consensus.
If approved, the network upgrade could begin immediately, allowing THORChain to gradually restore operations after weeks of recovery work.
“The goal is to restart the network as soon as possible,” the team previously stated, emphasizing that security, stability, and long-term resilience remain the guiding principles behind the recovery effort.
For now, the protocol remains focused on completing technical validation, implementing the quarantine mechanism, and ensuring the integrity of all node infrastructure before fully reopening the network.
Also read: ZachXBT Calls $32M Humanity Protocol Hack ‘Possibly Staged,’ $H Crashes 86%