The Flow blockchain faced one of its most significant security incidents on December 27, 2025, when an attacker exploited a critical vulnerability in the Cadence runtime — the smart contract execution layer powering the network — to create approximately $3.9 million in unauthorized tokens. The exploit bypassed Flow’s supply controls entirely, enabling the attacker to mint counterfeit assets and immediately sell them on decentralized exchanges before detection could trigger a response.
The Exploit Mechanics
The attack targeted a fundamental flaw in Flow’s Cadence runtime, the programming language and execution environment responsible for processing all smart contract operations on the network. Rather than properly minting new tokens through the established supply mechanism, the attacker discovered a method to duplicate existing tokens — effectively creating counterfeit assets from nothing. This is a particularly dangerous class of vulnerability because it does not require draining existing user wallets or compromising private keys. Instead, the attacker generated value out of thin air by exploiting how the Cadence runtime validated token creation operations.
Once the counterfeit tokens were minted, the attacker moved quickly to convert them into legitimate assets. Stolen funds were routed off-network through multiple cross-chain bridges, including Celer, deBridge, Relay, and Stargate. The speed and sophistication of the exit strategy suggested the attacker had pre-planned the laundering route. Binance moved to freeze hacker-linked funds shortly after the exploit was identified, limiting some of the potential damage. The attacker’s Ethereum wallet was also identified, and investigators tracked laundering attempts through Thorchain and Chainflip in real time.
Affected Systems
Validators coordinated a network halt within six hours of detecting the malicious activity, putting Flow into read-only mode. While this response time is faster than most Layer-1 reactions to similar incidents, the two-day downtime created significant downstream consequences. NFT lending platforms were hit particularly hard — loan settlements could not process during the freeze, creating liquidation risks for users who had no way to manage their positions. The FLOW token crashed more than 40%, falling to $0.075 in early January. Data from DefiLlama showed Flow’s total value locked dropping from $107 million to $73.8 million after the incident before partially recovering to approximately $97.2 million within 24 hours.
The Flow Foundation, working with forensic partner FindLabs, confirmed that no existing user account balances were compromised. The attacker created counterfeit assets from nothing rather than draining legitimate wallets. However, the initial response plan — a full blockchain rollback — sparked immediate controversy. Alex Smirnov, founder of deBridge, one of Flow’s major bridge providers, publicly stated he learned of the rollback decision after it was already announced. He warned that reverting the chain could create doubled balances for users who bridged assets out during the rollback window, while leaving others who bridged in facing losses.
The Mitigation Strategy
Facing mounting pressure from partners and the broader crypto community, the Flow Foundation shifted course on December 29, abandoning the global rollback in favor of a targeted remediation plan developed in consultation with bridge operators, exchanges, and validators. The revised approach focused on isolating and destroying the fraudulently minted tokens while preserving all legitimate user activity. Dapper Labs, which originally launched Flow, reviewed and supported the revised plan.
Validators deployed a software upgrade — Mainnet 28 — that enabled the targeted remediation. The network restarted in phases, temporarily restricting accounts identified through independent forensic analysis as recipients of illicit tokens. Flow destroyed 87 billion counterfeit tokens as part of the technical remediation. The Foundation stated that more than 99.9% of accounts would remain unaffected, with normal operations gradually resuming. At the time, Bitcoin traded at approximately $87,800 and Ethereum at $2,948, providing broader market context that remained relatively stable despite the Flow-specific incident.
Lessons Learned
The Flow exploit underscores the unique risks associated with runtime-level vulnerabilities in blockchain infrastructure. Unlike smart contract bugs that affect individual applications, a Cadence runtime flaw compromises the foundational execution layer that every application on the network relies upon. The incident also highlights the tension between crisis response speed and ecosystem coordination — Flow’s initial rollback proposal, while technically sound for neutralizing the exploit, failed to account for the cascading effects on bridge operators and cross-chain infrastructure.
The December 2025 timing was significant. The exploit occurred during a period of reduced holiday staffing across the industry, part of a broader pattern that saw at least seven major security incidents totaling over $50 million in losses throughout the month. Attackers clearly timed operations to exploit the combination of skeleton security teams, code freeze hesitation, and user distraction that characterizes the end-of-year period.
User Action Required
Flow users should verify that their accounts were not among the restricted set identified during forensic analysis. Anyone who interacted with Flow-based DeFi protocols or NFT platforms between December 27 and December 29 should check transaction histories for any anomalies. Users holding FLOW tokens on centralized exchanges should confirm that trading has resumed normally. Going forward, the incident serves as a reminder that even foundational layer infrastructure carries risk, and diversifying across multiple networks remains a prudent strategy for managing protocol-level exposure.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
This is a massive blow to the “secure by design” narrative Flow has been pushing with Cadence. Runtime exploits are particularly nasty because they bypass the smart contract logic itself. I’m waiting for a deep dive on how the minting vulnerability was actually triggered. Stay safe out there and double check your token addresses!
Another day, another multi-million dollar exploit. This is why we can’t have nice things in DeFi yet. If a major chain like Flow can have a “runtime exploit” that lets people just print money, how can we trust any of these newer L1s? Moving my bags back to cold storage until the dust settles on this one.
Really tough news for the ecosystem, but the team is usually pretty fast with patches. Cadence is still one of the most readable languages out there, so hopefully this was just a weird edge case. I’m glad they caught it at $3.9M and not $39M. Bullish on the recovery once the fix is live!