What To Know:
- Flow Network confirmed a Cadence runtime bug enabled attackers to mint fake tokens worth about $3.9 million without draining user balances.
- Validators approved a governance action to destroy all counterfeit assets, with exchanges freezing and returning many deposits.
- The network resumed normal operations after targeted remediation, with the vulnerability fully patched.
The Flow network has restored full operations after a security incident that allowed an attacker to mint counterfeit tokens and extract approximately $3.9 million through cross-chain bridges. In a detailed post-incident report released by the Flow Foundation, developers confirmed that no existing user balances were accessed or drained during the attack, and that legitimate transaction history on the network remains intact.
Flow Network Details $3.9M Exploit
The incident occurred on December 27, 2025, when an attacker exploited a vulnerability in the Cadence smart contract runtime. According to Flow, the exploit enabled the creation of fake assets that were later bridged out of the network. While the value involved was significant, the Foundation emphasized that the breach duplicated assets rather than stealing tokens held by users. Most of the counterfeit tokens were either contained on-chain or frozen before liquidation, following coordination with centralized exchanges.
Flow validators have since approved a governance action authorizing the permanent destruction of all counterfeit assets. Network activity resumed on December 29 and has continued without disruption.
Technical findings show that the attacker carried out a complex, multi-step operation. More than 40 malicious smart contracts were deployed in sequence, forming a three-stage attack chain. This included bypassing attachment import verification, evading defensive checks on built-in types, and exploiting a weakness in contract initializer semantics. At the center of the incident was a type confusion bug in Cadence runtime version 1.8.8.
The flaw allowed protected assets, which are designed to be non-copyable, to be treated as standard data structures that can be duplicated. By masking asset types in this way, the attacker bypassed runtime safety checks and minted fake tokens. The vulnerability has since been patched in Cadence version 1.8.9 and later releases.
After bridging the counterfeit assets out of Flow, the attacker attempted to deposit fake FLOW tokens across several centralized exchanges. Abnormal transaction volumes triggered internal compliance systems at multiple venues, leading to immediate freezes. Exchanges including OKX, Gate.io, and MEXC cooperated with Flow to return and destroy a large portion of the affected tokens. Around half of the counterfeit FLOW sent to exchanges has already been recovered, with coordination ongoing for the remainder.
To address the incident without disrupting legitimate activity, Flow implemented what it calls an Isolated Recovery Plan. The approach focused on surgical remediation rather than rolling back the chain. When the network came back online on December 29, more than 1,000 Cadence accounts linked to the exploit were temporarily restricted to prevent further spread of counterfeit assets. The Flow EVM environment was placed in read-only mode while remediation tools were prepared.
Over the following days, validator-approved software upgrades granted limited recovery permissions to the Community Governance Council. Using these permissions, the council recovered counterfeit assets from both the Cadence and EVM environments, emitted on-chain verification events, and lifted restrictions on accounts cleared of contamination. By January 2, the EVM environment was fully restored, and bridged counterfeit tokens were moved back to Cadence for permanent destruction.
The Foundation also began rebalancing affected liquidity pools using recovered funds and treasury support to limit economic impact on users and liquidity providers. A final phase includes residual supply checks and the revocation of elevated governance permissions introduced during the recovery.
Flow said the response preserved transaction finality while minimizing reconciliation risks for exchanges, bridges, and custodial partners that maintain independent records. Forensic firms zeroShadow and Find Labs are assisting with ongoing analysis, alongside law enforcement authorities.
Also Read: Starknet Network Outage Halts Transactions for Nearly Two Hours
