The Flow blockchain faced a major security crisis after an attacker exploited a vulnerability in its execution layer on December 27, 2025, siphoning approximately $3.9 million in assets off the network through multiple cross-chain bridges. Validators executed a coordinated network halt shortly after the exploit was detected, severing exit paths and preventing further unauthorized transactions. The Flow Foundation and forensic partner FindLabs confirmed that existing user balances were not accessed and the exploit was contained quickly.
In the immediate aftermath, Flow core developers proposed a full blockchain rollback to a checkpoint prior to the exploit. This controversial move would have erased all transactions submitted during a several-hour window, requiring users and infrastructure providers to resubmit activity. The proposal triggered sharp backlash from key ecosystem partners who claimed they were not consulted.
Alex Smirnov, founder of cross-chain bridge deBridge, one of Flow's major bridge providers, stated he learned of the rollback decision only after it was publicly announced. He warned that reverting the chain could create doubled balances for users who bridged assets out during the rollback window while leaving others who bridged in facing losses with no clear reimbursement plan. The uncertainty caused the FLOW token to plummet more than 40%, and some centralized exchanges temporarily suspended transactions.
Data from DefiLlama showed Flow's total value locked dropped from $107 million to $73.8 million after the incident before rebounding to about $97.2 million, representing a 31% recovery in 24 hours. Legal and technical observers, including Delphi Labs general counsel Gabriel Shapiro, criticized the rollback approach as potentially pushing losses onto bridges and issuers by creating unbacked assets.
Facing mounting pressure, the Flow Foundation shifted course on December 29, announcing a revised remediation plan developed in consultation with bridge operators, exchanges, and validators. The updated approach abandoned the global rollback in favor of isolating and destroying fraudulently minted tokens while preserving legitimate user activity. Dapper Labs, which launched Flow, reviewed and supported the revised plan.
Under the new recovery strategy, validators approved a software upgrade (Mainnet 28), and the network returned online in read-only testing mode. The Foundation scheduled Phase 1 recovery to begin at 6:00 AM Pacific Time on December 29, with the Cadence environment returning to full operation for more than 99.9% of accounts. Accounts identified as recipients of fraudulently minted tokens remain temporarily restricted, while the EVM environment stays in read-only mode until further remediation is completed. The Foundation plans to publish a full technical post-mortem within 72 hours.
