PANews reported on May 22 that THORChain released its fourth update regarding the May 15 attack . Proposal ADR028 has been published, and node operator voting has begun. According to the recovery plan, the protocol will first absorb the losses through its own liquidity, with the remaining losses shared by synthetic asset holders; the specific allocation ratio is still under evaluation. The protocol's own liquidity will be reduced to zero, and will be gradually replenished through system revenue. This plan will not involve issuing or selling RUNE, nor will it dilute any holders.

Technically, GG20 is temporarily retained and has been patched and upgraded. Trading will resume after the vulnerability is fixed and node rotation is successful. Future releases will adopt a slower, more security-conscious pace. Innocent nodes in the same vault as the attacker will be protected, while the attacker's node will be fully forfeited. Recovered RUNE will be paired with recovered assets, and any excess will be destroyed. The protocol also provides white-hat bounties to attackers to recover funds; if partial recovery occurs, the recovery plan will be rolled back proportionally. THORChain remains neutral and permissionless, and will not censor attackers' swap transactions after trading resumes. Node operators are currently voting on the proposal's direction; the numbers in the ADR are indicative only and will be adjusted via Mimir.