THORChain Recovery Following Security Breach
THORChain is currently in the process of meticulously working to restore its operations following a significant security breach that took place on May 15. The most recent communication from the protocol emphasizes that developers and security personnel are concentrating on a careful recovery to ensure the network is brought back online securely, highlighting that no steps will be rushed as they address the aftermath of the incident.
Details of the Breach
An official report detailing the exploit revealed that approximately $10.7 million was siphoned from one of the five vaults due to a vulnerability tied to the GG20 Threshold Signature Scheme. This breach occurred shortly after the integration of a new node operator, who joined the network just two days prior to the attack. The remaining four vaults were unaffected by the incident.
Software Updates and Recovery Strategy
To bolster security and stability, nodes have transitioned to version 3.18.1 of the software, which allows for the restoration of Rujira Network’s functionality regarding credit management. Meanwhile, efforts are underway to prepare the next software update, version 3.19.0, which will introduce additional features and fixes before being pushed to the mainnet. Although THORChain aims to advance to the stagenet phase by tomorrow, a precise timeline for the complete restoration is still pending confirmation. Once the updated mainnet version is ready, node operators will be urged to implement the upgrade promptly for a safe network relaunch.
Additionally, the approval of ADR028 by node operators marks a significant step forward in THORChain’s recovery strategy. This proposal, which initiated voting in the wake of the incident, provides a clear recovery pathway aimed at restarting the network without creating new RUNE, liquidating RUNE, or diminishing existing holders’ assets. The recovery mechanism will utilize protocol-owned liquidity to address any financial shortfall, with adjustments for synthetic asset holders appropriately accounted for.
Bounty and Security Measures
In light of recent developments, the protocol has activated a bounty window, giving the perpetrator an opportunity to return a portion of the stolen funds. THORChain has also committed to mitigating the remaining losses using protocol-owned liquidity, with more accurate financial figures expected to be released later.
As part of its recovery measures, THORChain will implement the full slashing of the attacker’s node. Fortunately, the integrity of innocent nodes associated with the same vault will be preserved. Any regaining of RUNE will be coupled with assets retrieved from the affected vault, and any excess RUNE will be burned to diminish supply.
To enhance security, the tss-lib component has been transitioned to a closed-source format temporarily, allowing THORSec to conduct a comprehensive audit without the risks associated with public exposure of active remediation processes. This represents a notable deviation from THORChain’s philosophy of open-source development; however, the repository will be reinstated after the completion of the audit.
Impact and Future Steps
The dive into the exploit first captured significant attention when blockchain researcher ZachXBT alerted the public about potential losses exceeding $10 million across multiple blockchains, including Bitcoin, Ethereum, BSC, and Base. Following this alarming news, THORChain implemented a global emergency halt of trading, instigating a sharp drop in the value of RUNE as users awaited further clarity from the protocol.
Initial estimates suggested at least $7.4 million was lost, but further assessments have indicated the total amount stolen to be over $10 million. Moving forward, the restoration process will hinge on two critical tests: the technical verification of the updated releases and the financial resolution of loss coverage and bounty terms, all while ensuring no new RUNE is introduced into circulation during the recovery.
