The Flow Foundation published a technical post-mortem detailing a protocol-level exploit on December 27, resulting in about $3.9 million in confirmed losses before containment. The attacker exploited a flaw in Flow’s Cadence runtime that allowed certain assets to be duplicated rather than minted, bypassing supply controls without accessing or draining existing user balances.
Validators coordinated a network halt within six hours of the first malicious transaction, while exchange partners froze most counterfeit assets before they could be sold. Flow said the temporary halt placed the network into a read-only mode to sever exit paths and prevent further duplication while the issue was investigated. Operations resumed two days later under an isolated recovery plan that preserved legitimate transaction history and authorized the recovery and permanent destruction of counterfeit assets through a governance-approved process. The decline accelerated following the Dec. 27 hack, when FLOW plunged by around 40% over five hours.
The Flow Foundation said no existing user balances were compromised, as the exploit duplicated assets rather than removing funds from accounts. A limited number of accounts that interacted with counterfeit tokens were temporarily restricted as a precaution, while more than 99% of accounts retained full access during and after the recovery. While the attacker generated a large volume of counterfeit tokens on-chain, Flow said the vast majority were contained or frozen before liquidation. The Foundation has since patched the underlying vulnerability, added stricter runtime checks, and expanded regression testing to prevent similar exploits; it is working with forensic partners and law enforcement and plans to strengthen monitoring and bug-bounty programs as part of broader security hardening.
Leave a Reply