The decentralized liquidity protocol THORChain has offered a 20% white hat bounty to an attacker who drained $10.7 million from the network on May 15, 2026. This move comes as THORChain node operators begin voting on ADR-028, a recovery plan designed to restore the network after a malicious node operator exploited a vulnerability in the protocol’s threshold signature scheme. The attacker, identified as node thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, reportedly reconstructed a vault private key to sign unauthorized transactions across nine different blockchains, including Bitcoin and Ethereum.
The exploit occurred via a series of transactions that ended at approximately 10:11 AM UTC on May 15. The attacker was a newly “churned” node operator that had entered the network just two days prior to the incident. On-chain investigator ZachXBT and security firm PeckShield were among the first to flag the suspicious activity, which saw funds move to specific Ethereum addresses now linked to the malicious actor. THORChain’s automated solvency checks successfully halted wider network activity within minutes, limiting the damage to a single vault out of five.
The underlying issue involved the implementation of the GG20 Threshold Signature Scheme (TSS). According to the core team, a vulnerability allowed for progressive key material leakage, which the attacker used to bypass the standard signing ceremony and sign outbound transactions directly. This breach adds to a growing list of security challenges for the protocol. Earlier years saw utility-driven protocols struggle with similar cross-chain vulnerabilities as they attempted to bridge disparate ecosystems.
THORChain recovery plan ADR-028 and white hat bounty details
The proposed recovery plan, ADR-028, outlines a strict hierarchy for how the $10.7 million loss will be managed. First and foremost, the protocol will absorb the hit through its Protocol-Owned Liquidity (POL). By reducing this liquidity to zero, the network avoids minting new RUNE tokens or diluting current holders. This approach ensures that the native token supply remains stable while the protocol slowly rebuilds its capital reserves from future system income.
Any loss that exceeds the capacity of the POL will be distributed across synthetic asset (synth) holders. While the exact ratio for this shortfall is still under evaluation via Mimir governance, the team has been adamant that no RUNE will be sold to cover the gap. This decision reflects the project’s priority to protect its core tokenomics during periods of extreme stress, a strategy often seen when major altcoins enter protective phases to maintain market confidence.
The 20% white hat offer to the attacker
In a direct appeal to the exploiter, THORChain has offered to let the attacker keep 20% of the stolen funds as a legal bounty. This would amount to roughly $2.14 million of the $10.7 million total. The offer is contingent on the return of the remaining 80%. If the attacker complies, the protocol will adjust the recovery plan proportionally to reduce the impact on synth holders and protocol-owned liquidity.
Currently, the attacker’s wallets are reported to hold approximately 3,443 ETH, 36.85 BTC, and 96.6 BNB. The protocol is working with Outrider Analytics and law enforcement agencies to track these funds. While the white hat offer provides a “clean” exit for the attacker, the project is simultaneously pursuing forensic evidence tied to the node’s initial bonding transactions, which could lead to a real-world identification of the operator.
Technical fixes and the path toward network restart
Before trading can resume, several technical hurdles must be cleared. The vulnerability in the GG20 TSS implementation has already received patch upgrades, but the protocol intends to keep the GG20 system in place temporarily while enhancing its security. Node operators are currently reviewing these patches as part of the wider vote on ADR-028. This cautious approach mirrors the volatility and risk management seen when liquidity surges return to major assets following a period of technical uncertainty.
The network’s restart will be phased. Trading will only be enabled after a successful node rotation and a confirmation that the patched signature scheme is behaving as expected. The RUNE price has already felt the weight of the event, dropping roughly 13% since the exploit was first confirmed on May 15. The community remains divided on the distribution of losses to synth holders, though the move to avoid RUNE inflation has been generally praised by long-term investors.
Additional details regarding the exploit and the ongoing recovery efforts can be found through official channels at THORChain’s official site or through security updates provided by PeckShield. For now, the focus remains on the node operator vote, which will determine how quickly the cross-chain protocol can return to full functionality and whether the attacker will accept the white hat olive branch.