Decentralized liquidity protocol THORChain is preparing a governance vote to determine how the network will absorb losses from last week’s exploit, as developers finalize a software patch and continue investigating the attack.
In its third incident update shared via X on Monday, THORChain said contributors and the THORSec team expect to release version 3.18.1 for node operators, a critical step toward restoring normal operations after an estimated $10 million to $10.8 million was drained from protocol-controlled wallets.
The network remains partially paused while trading, liquidity actions, and other sensitive functions stay offline.
Governance vote to decide how losses are handled
The most immediate unresolved issue is how THORChain will account for the stolen funds.
Developers said the final decision will be made through community governance after discussion in a dedicated Discord channel, ADR-028 TSS Exploit Recovery. A formal vote is expected in the coming days, with node operators selecting among the proposals that receive the broadest support.
Options under discussion include slashing the bonds of nodes that participated in the affected vault or using protocol-owned liquidity to absorb the losses. No final decision has been made.
Patch expected before full restart
THORChain said it expects to release version 3.18.1 to node operators on Monday. The update is intended to address the immediate issue and allow the network to move toward a stable restart.
A broader version 3.19 release is expected to implement whichever recovery option is approved by governance. The team said services will not be restored until node operators reach broad consensus on the recovery plan.
Attack no longer tied to known GG20 exploits
Earlier updates suggested the attacker may have exploited a flaw in THORChain’s GG20 threshold signature scheme, potentially through a newly churned node linked to the theft. In its latest statement, the team said the attack vector does not appear to match any publicly known GG20 vulnerabilities.
Developers said they now have a strong understanding of how the exploit was carried out but are not yet ready to disclose technical details. They are also assessing whether other GG20 implementations could face similar risks. THORChain said it has been working with cryptographers, external security researchers, and members of the original GG20 development team.
User funds were not affected
THORChain has repeatedly stated that the exploit affected protocol-owned funds only and that no user deposits or liquidity provider positions were lost. The team also warned users to ignore fake social media accounts promoting refunds, airdrops, or compensation programs, noting that no such initiatives are underway.
Although longer-term changes to THORChain’s cryptographic security model are under review, the development team said it is leaning toward continuing to use GG20 in the short term to restore network operations as quickly as possible.
Broader decisions about replacing or redesigning the vault security system will be considered once the protocol has returned to a stable state.
Also Read: Aave Upgrades Savings GHO to sGHO With Fixed 4.25% Yield
