THORChain’s Restart Plan: Can RUNE Recover Trust After the $10.7M Hack?

A single Asgard vault drain set THORChain back on its heels in mid-May. Roughly $10.7 million vanished, trading paused, and the community braced for tough decisions.

Now a path to restart is live. Governance ratified ADR028, developers shipped v3.19 migrations, and leadership has guided the community toward a controlled reopening. The question is whether that’s enough for RUNE to rebuild trust.

Here’s what was decided, who covers the loss, what changes at the protocol level, and how to assess the reopening.

THORChain operates one of the few live cross-chain automated market maker networks, routing native assets between L1s via vaults managed by rotating validator sets. That power comes with attack surface. In May 2026, a single Asgard vault was drained, triggering emergency procedures and a network-wide pause while teams triaged and planned a restart.

The credibility of THORChain’s restart turns on two things: how losses are socialized, and whether hardening changes reduce repeat risk without breaking core features.

The team’s “Exploit Report #1” confirmed the amount and immediate patch path, and governance converged on ADR028—a staged restart funded by Protocol-Owned Liquidity (POL) rather than new token issuance. Timelines point to trading resumption as early as mid-June, contingent on final checks and node coordination.

What Actually Broke: Unpicking the Asgard Vault Drain

Single-vault exposure, not global collapse

THORChain’s initial incident write-up stated that an unauthorized drain of approximately $10.7 million occurred from a single Asgard vault on May 15, 2026, with details published May 20 as “Exploit Report #1.” The team pointed to patch v3.18.1 as the immediate containment step and identified ADR-028 as the longer-term recovery mechanism (THORChain (blog) — Exploit Report #1).

Initial containment and posture

Following the vault drain, the protocol moved to pause risk-exposed functions and coordinate a code and process review across nodes. The aim was to isolate the incident, prevent contagion to other vaults, and prepare a migration plan aligning with governance decisions. The team emphasized a no-rush posture to avoid compounding errors while restoring the network safely.

ADR028 and the No‑Mint Restart Plan

Using POL instead of dilution

On May 27, node operators approved ADR028, authorizing a staged restart that covers the loss using Protocol-Owned Liquidity and explicitly avoids minting or selling new RUNE. The proposal also opened a hacker-bounty window to incentivize return of funds (KuCoin (news) — ADR028 approval).

The “no-mint” commitment matters for tokenholders. It removes one common post-hack reflex—inflate supply to recapitalize—and shifts the cost to the protocol’s balance sheet, with potential knock-on effects for liquidity depth and yield.

How the restart unfolds

Based on the team’s updates, the sequence is designed to ensure safety, then functionality, then breadth:

1. Lock in the loss-accounting methodology via ADR028 and implement it in migrations.
2. Ship and adopt releases (v3.18.1 for immediate containment; v3.19 for full restart with store migrations).
3. Coordinate node upgrades and verify-key fixes to ensure vault control is consistent.
4. Resume trading cautiously, monitor pools and vault behavior, and adjust parameters if needed.
5. Re-open chain integrations in stages, prioritizing those already audited and queued.
6. Maintain the bounty window to potentially reclaim funds and offset POL usage.

This prioritization tries to avoid systemic risk while restoring core UX and liquidity links.

v3.19 Migrations and Hardening Work

From plan to implementation

In a May 29 “Path to Restart” update, THORChain identified v3.19 as the restart release, containing store migrations to implement ADR028’s loss methodology. The post noted developers resolved a roughly $700,000 shortfall in the migration logic—“the $700k gap … ironed out by Codehans”—before moving forward (THORChain (blog) — 'Path to Restart' (May 29, 2026)).

Operational fixes and expected resumption

By June 11, nodes had adopted v3.19, with v3.19.1 rolled out to finish verify-key and Gaia fixes. Leadership indicated trading could resume within the following week—with Chad Barraford saying he “leaned Tuesday or Wednesday”—subject to final validation. The same update queued Zcash within “a week or two,” and targeted Monero integration for July 1–15 (THORChain (blog) — 'Eyes Trading by Midweek' (June 11, 2026)).

The cadence underscores a safety-first reopening, adding integrations only after vault and key-handling fixes settle.

Restart Timeline and What to Watch

Key dates and decisions

Date (2026) Milestone Notes / Source May 15 Asgard vault drained (~$10.7M) Incident date cited in the exploit report; single-vault impact (THORChain blog) May 20 Exploit Report #1 Confirms loss amount; outlines v3.18.1 patch and ADR-028 recovery path (THORChain blog) May 27 ADR028 approved Staged restart; use POL; avoid minting RUNE; bounty window activated (KuCoin) May 29 Path to Restart (v3.19) Migrations implement ADR028; $700k logic gap resolved by Codehans (THORChain blog) June 11 Nodes adopt v3.19, v3.19.1 in flight Verify-key/Gaia fixes; trading expected midweek; Zcash soon; Monero targeted early–mid July (THORChain blog)

Signals that trust is returning

In the first weeks after trading resumes, focus on a handful of operational and market indicators, not price alone:

• Pool depth and churn stability across major pairs versus pre-pause levels.
• Spread and slippage on cross-chain swaps during peak hours.
• Node participation and bond health after upgrades complete.
• Incidents or anomalies reported in vault operations, especially during chain rotations.
• Rate of third-party integrations (wallets, aggregators) re-enabling THORChain routing.

Who Pays and What It Means for RUNE

Socializing losses without minting

The ADR028 decision to use POL rather than minting or selling new RUNE sidesteps immediate dilution risk. The cost instead lands on the protocol’s balance sheet, potentially reducing owned liquidity and, in turn, affecting pool depth. Shallower pools can raise slippage and temporarily compress volume until market-makers and LPs step back in.

Implications for LPs and node operators

Liquidity providers will weigh yield versus perceived security. If POL absorbs losses, LPs might not face direct haircutting tied to the exploit, but a thinner protocol-owned base could change rewards dynamics. Node operators must complete upgrades, verify key assignments, and monitor vault behavior closely; the professionalism of this cohort is a leading indicator for network safety.

RUNE’s supply narrative

Not minting RUNE helps maintain the token’s credibility. But no-mint does not mean no impact: the opportunity cost is borne by protocol capital that could otherwise seed growth or incentives. Over time, the protocol can replenish POL through fees and careful treasury management, assuming volumes return.

Market structure and liquidity recovery

When trading resumes, arbitrageurs will likely test edges across chains and centralized venues. If vault handling and settlement latency improve under v3.19.x, spreads should normalize. Watch for conservative parameter sets—like swap limits and throttles—initially constraining throughput as a safety measure, then loosening as confidence builds.

Automatic Response Table (timestamps, Mimir keys and block numbers) showing the chain-level halts the solvency checker triggered — demonstrates how THORChain automatically contained the incident. — Source: THORChain (Exploit Report #1)

Operational Outlook: Integrations and Guardrails

Privacy chains on deck

Re-enabling Zcash within “a week or two” and targeting Monero for July 1–15 signals confidence in vault operations under the updated releases. These integrations are complex—especially around key management and fee estimation—so their safe activation is a milestone for the restart’s maturity (THORChain blog).

Process hardening beyond code

Beyond patches, expect more conservative operational practices: stricter key verification flows, phased chain rollouts, and potentially tighter monitoring around vault transitions. Post-incident bounties and disclosure channels can shorten the feedback loop on vulnerabilities and encourage whitehat cooperation.

Risks & What Could Go Wrong

• Residual vulnerability: The exploit vector could have adjacent variants that evade current mitigations.
• Liquidity shock: Using POL to cover losses may thin protocol-owned depth, increasing slippage during reopening.
• Governance friction: If parameters stay restrictive for too long, LPs and traders may shift volume elsewhere.
• Integration risk: Re-enabling Zcash/Monero introduces fresh surface area in key handling and fee logic.
• Bounty uncertainty: Hacker-bounty outcomes are unpredictable and may not meaningfully offset losses.
• Node coordination: Any lag or misconfiguration in verify-key steps could disrupt vault control during churn.
• Reputational overhang: Even with a smooth restart, some venues or wallets might delay reactivation, dampening volume.

No patch is a panacea; the next 30–60 days hinge on disciplined ops, parameter tuning, and transparent incident reporting.

For ongoing coverage and context across DeFi security incidents and restarts, Crypto Daily tracks governance votes, on-chain metrics, and developer updates in real time. You can follow our rolling reports and explainers at Crypto Daily.

Frequently Asked Questions

What happened in THORChain’s $10.7M incident?

An unauthorized drain hit a single Asgard vault around May 15, 2026. THORChain’s May 20 Exploit Report #1 confirmed the approximate $10.7M loss and outlined v3.18.1 as an immediate patch with ADR-028 as the recovery framework (THORChain blog).

What is ADR028 and why does it matter?

ADR028 is the governance-approved roadmap for a staged restart. It socializes losses through Protocol-Owned Liquidity instead of minting or selling new RUNE, and it opened a bounty window to encourage fund return. Nodes approved ADR028 on May 27, 2026 (KuCoin).

Will THORChain mint new RUNE to cover the loss?

No. ADR028 explicitly avoids minting or selling new RUNE. Losses are covered by the protocol’s own liquidity, which protects holders from direct dilution but may temporarily reduce pool depth.

When could trading resume?

As of June 11, 2026, nodes had adopted v3.19 and v3.19.1 was being distributed for verify-key and Gaia fixes. Leadership said they expected trading to resume within the following week, subject to final checks (THORChain blog). Timelines can slip if safety tests require it.

How are liquidity providers affected?

Because POL is used to socialize losses, LPs are shielded from a direct exploit-linked haircut under ADR028. However, thinner protocol-owned depth can impact slippage and yields until liquidity rebuilds and volumes normalize.

What about Zcash and Monero integrations?

The June 11 update queued Zcash within “a week or two” of trading resumption and targeted Monero for July 1–15, contingent on successful vault operations and key management under v3.19.x (THORChain blog).

What should users and traders watch post-restart?

Monitor pool depth, swap slippage, node participation, and any reported vault anomalies. Early reopening may include conservative limits; those can relax as stability is demonstrated.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.