News linked to both this project and an event.
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
Odaily News: THORChain officially stated that a large number of fake accounts and false information have been spotted on the market, involving activities such as "refunds," "airdrops," and "compensation." Preliminary investigations indicate that user funds were not compromised in the previous security incident. No refund, airdrop, or compensation plan has been initiated. Any accounts claiming otherwise are imposters or are disseminating false information. Further investigation progress and additional details will be announced subsequently.
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
According to Odaily, THORChain has issued an emergency announcement stating that after discovering a suspected breach of an Asgard vault, the network has suspended trading operations to respond to the security incident. Preliminary information indicates that user funds remain unaffected, with losses primarily concentrated on the protocol's own capital.The official statement noted that the system automatically detected anomalous behavior and halted signing operations, thereby alerting the community and preventing further asset outflow. The investigation is currently ongoing to determine the root cause of the vulnerability and the full scope of the impact.Known information indicates that this incident involves one of the six Asgard vaults, with estimated losses of approximately $10.7 million. Meanwhile, staked RUNE on the affected nodes has been slashed due to a penalty mechanism triggered by unauthorized outgoing transactions. The network has paused churn operations and delayed the launch of new chains and related features until system stability is restored.THORChain stated that no user cross-chain transactions have been affected so far and has requested node operators to thoroughly inspect their infrastructure, secure key management, and anomalous behavior, and to submit relevant logs to assist the investigation.