Flow breaks down $3.9M exploit in full post-incident report

Flow published a post-incident report on January 6, 2026, discussing the root cause of its $3.9 million exploit.

An attacker exploited a Cadence runtime type confusion vulnerability to forge tokens. Flow said no existing user balances were accessed or compromised.

Flow identifies type confusion vulnerability as exploit root cause

A type confusion vulnerability was found to be the primary cause by Flow. The vulnerability made it possible for the attacker to evade runtime safety checks by disguising a protected asset as a regular data structure. The attacker coordinated the execution of about 40 malicious smart contracts.

The attack started at block height 137,363,398 on December 26, 2025, at 23:25 PST. Minutes after the first deployment, the production of counterfeit tokens started. The attacker used standard data structures that are replicable to disguise protected assets that ought to be uncopyable. By taking advantage of Cadence’s move-only semantics, this made token counterfeiting possible.

Cadence and a fully EVM-equivalent environment are the two integrated programming environments run by Flow. In this instance, the exploit targeted Cadence.

Network down within six hours of initial malicious transaction

On December 27, at block height 137,390,190, flow validators started a coordinated network pause at 05:23 PST. All escape routes were cut off, and the halt occurred less than six hours after the initial malicious transaction.

Counterfeit FLOW was being moved to centralized exchange deposit accounts by December 26 at 23:42 PST. Due to their size and irregularity, most of the large FLOW transfers that were sent to exchanges were frozen upon receipt. Beginning at 00:06 PST on December 27, a few assets were bridged off-network using Celer, deBridge, and Stargate.

At 01:30 PST, the first detection signals were raised. At this point, exchange deposits were correlated with anomalous cross-VM FLOW movements. As counterfeit FLOW was liquidated beginning at 1:00 PST, centralized exchanges faced significant sell pressure.

Exchanges return 484 million counterfeit FLOW tokens

According to Flow, the attacker deposited 1.094 billion fake FLOW across several centralized exchanges. Exchange partners Gate.io, MEXC, and OKX returned 484,434,923 FLOW, which was destroyed. 98.7% of the remaining supply of counterfeit goods has been isolated onchain and is in the process of being destroyed. Complete resolution is anticipated in 30 days, and coordination with other exchange partners is still in progress.

After the community evaluated several recovery options, including checkpoint restoration, the recovery strategy was chosen. Flow held ecosystem-wide consultations with infrastructure partners, bridge operators, and exchanges.

Flow’s $3.9 million exploit happened within a similar pattern of security incidents affecting crypto protocols in late December 2025 and early January 2026. BtcTurk suffered a $48 million hot wallet breach on January 1, 2026. Hackers compromised the centralized exchange’s hot wallet infrastructure and siphoned funds across Ethereum, Arbitrum, Polygon and other chains.

Binance experienced a market maker account manipulation incident on January 1 involving BROCCOLI token.