What to Know:
- Flow Foundation will restart the network without a rollback, isolating and destroying fraudulent tokens while preserving all legitimate transaction history and user balances.
- The December 27 exploit moved about $3.9 million off-network, but over 99.9 percent of accounts remain unaffected as validators approved a phased recovery plan.
- Cadence services will resume first, with EVM activity restored later, while bridges and exchanges re-enable access after verified network stability.
Flow Foundation has outlined a revised recovery strategy following the security incident that disrupted the Flow blockchain in late December. The plan, developed in consultation with bridge operators, exchanges, and infrastructure providers, aims to restore network functionality without reversing the chain’s transaction history or forcing partners to replay activity.
Flow Foundation Launches Recovery Plan
The incident was confirmed on December 27, 2025, after an attacker exploited a vulnerability in Flow’s execution layer and moved roughly $3.9 million in assets off-network. Validators responded by coordinating a network halt, cutting off further exit routes. According to the Foundation, the exploit did not compromise existing user balances, and all legitimate deposits remain intact.
UPDATE: ISOLATED RECOVERY PLAN
Flow Foundation has developed a revised remediation plan working with ecosystem partners. This approach was developed following direct consultation with bridge operators, exchanges, and infrastructure partners.
WHAT THIS MEANS
→ No network…— Flow.com (@flow_blockchain) December 29, 2025
The recovery approach centres on isolating and removing fraudulently minted tokens rather than rolling back the blockchain state. Flow will restart from the last sealed block before transaction processing was paused. This decision follows feedback from ecosystem partners who warned that a full rollback would create reconciliation risks for bridges and exchanges and could introduce replay vulnerabilities.
Under the plan, more than 99.9 percent of network accounts will be unaffected and fully operational when services resume. No transaction resubmission will be required, and legitimate user activity will remain preserved.
At network restart, accounts identified as recipients of fraudulent token distributions will be temporarily restricted as a precaution. Roughly 1,500 Cadence accounts have been flagged, many of which appear to have no activity beyond receiving the illicit tokens. Independent blockchain forensic firms are verifying the exact token types and quantities linked to the exploit. Once an account is remediated, full access will be restored immediately.
The Flow core development team has proposed a temporary software upgrade that grants limited remediation authority to the Community Governance Council. This upgrade requires opt-in approval from independent validators, ensuring no single entity can act alone. After validators reach consensus, fraudulent tokens will be withdrawn and destroyed through transparent, auditable on-chain transactions. A follow-up upgrade will then revoke all elevated permissions.
Recovery will proceed in phases. In the first phase, the Cadence environment will return to normal operations, while the EVM environment remains restricted to read-only mode. This allows most applications and users to resume activity while additional remediation steps are prepared. The second phase focuses on destroying fraudulent tokens in Cadence and rebalancing decentralised exchange pools affected by price dislocations. The Foundation has indicated it may use its own reserves to help realign on-chain prices with those seen on external markets.
The third phase addresses the EVM environment. Once re-enabled through a coordinated network upgrade, fraudulent tokens held at EVM addresses will be bridged back to Cadence and destroyed. Trade proceeds linked directly to attacker-controlled accounts will be recovered where possible. Tokens received by liquidity providers or traders who interacted in good faith will not be reclaimed. Any remaining supply imbalance will be assessed through a published analysis, with the option for the Foundation to offset it by acquiring and destroying an equivalent amount of tokens.
In the final phase, bridges and exchanges will decide independently when to resume integrations after observing a period of verified stability. The Foundation has advised operators to keep restrictions in place until remediation is complete and pricing has stabilised.
Investigators have traced the attacker’s exit routes, which primarily ran through cross-chain bridges including Celer, Debridge, Relay, and Stargate. The attacker’s wallet has been identified and flagged, with laundering activity via Thorchain and Chainflip under active monitoring. Freeze requests have been submitted to Circle, Tether, and major exchanges. The Foundation said containment is complete, with no further unauthorised activity possible.
Validators have now approved the required software upgrade, and the network has entered a testing phase in read-only mode. Phase 1 deployment is scheduled for 6am PT, when the Cadence environment will go live and restricted accounts will be isolated. Further updates are expected as remediation progresses, followed by a detailed post-mortem once normal operations are fully restored.
Also Read: Etherscan Support for ZKsync Era to be Discontinued on Jan 7th, 2026
