A recent post-mortem report has shed light on the significant exploit that occurred on the Flow blockchain on December 27, resulting in a theft of approximately $3.9 million. The analysis detailed a protocol-level vulnerability that enabled the attacker to duplicate fungible tokens rather than mint new ones, showcasing a level of technical sophistication involving over 40 malicious smart contracts.
The breach exploited a critical flaw within the Cadence execution layer (version 1.8.8), allowing the attacker to mask a protected asset—normally designed to be non-replicable—as a conventional data structure that could be copied. Consequently, while user balances remained unaffected, the attacker was able to generate counterfeit tokens.
Fortunately, Flow validators acted quickly, initiating a network halt within six hours of the initial transaction. The funds transferred to centralized exchanges were subsequently frozen by cooperating partners. According to the report, the attacker deposited a staggering 1.094 billion counterfeit FLOW tokens across various exchanges, with approximately 484,434,923 FLOW already returned and destroyed by exchange partners, including OKX, Gate.io, and MEXC.
Flow has since implemented measures to isolate 98.7% of the remaining counterfeit tokens, which are pending destruction. The Foundation is actively collaborating with additional exchanges to recover the outstanding assets. A protocol-level backstop has also been established to restrict all deposit addresses linked to the attacker, ensuring that no counterfeit tokens can be withdrawn, bridged, or transferred until they are returned for destruction.
In response to the incident, Flow has patched the vulnerability and restored full network functionality. A decision was made to pursue an “isolated recovery” plan, which aimed to maintain legitimate transaction history while allowing for the governance-approved destruction of the counterfeit assets.
Following the implementation of the recovery plan and the release of the post-mortem, the FLOW token has experienced a rebound. After plunging nearly 40% in value within five hours post-exploit, the token dipped to a low of $0.075 on January 2 before beginning to recover. As of now, the FLOW token has surged over 14% in the past 24 hours, trading at $0.1015.
