A detailed post-mortem report on the December 27, 2025, exploit of the Flow blockchain has revealed a sophisticated protocol-level vulnerability in the Cadence runtime that led to an estimated $3.9 million loss. The attack, which began at block height 137,363,398, involved the attacker deploying over 40 malicious smart contracts in a coordinated sequence to exploit a type confusion vulnerability in Cadence version 1.8.8.
The core flaw allowed the attacker to disguise a protected, non-copyable asset as a standard, replicable data structure. This bypassed runtime safety checks and enabled the duplication, rather than minting, of approximately 1.094 billion counterfeit FLOW tokens. Importantly, the report confirms that no existing user balances were directly accessed or compromised during the incident.
Flow's network validators initiated a coordinated network halt within six hours of the first malicious transaction, at block height 137,390,190 on December 27. This swift action helped contain the fallout. The attacker had begun moving the counterfeit tokens to centralized exchange deposit addresses shortly after the exploit began.
A significant portion of the counterfeit supply has already been recovered and destroyed. Cooperative exchange partners OKX, Gate.io, and MEXC have returned 484,434,923 FLOW tokens, which were subsequently destroyed. Flow Foundation reports that 98.7% of the remaining counterfeit supply has been isolated on-chain and is pending destruction, with a full resolution expected within 30 days. A protocol-level backstop has been implemented to restrict all attacker-linked addresses, preventing withdrawal, bridging, or transfer of the fake tokens.
Following the incident, developers opted for an "isolated recovery" plan instead of a full-chain rollback to preserve legitimate transaction history. The vulnerability has been patched, and the Flow network is now fully operational. This recovery clarity has sparked a rebound for the FLOW token, which plunged roughly 40% in the five hours post-hack to a low of $0.075 on January 2. In the 24 hours following the report's release, FLOW rallied over 14%, trading around $0.1015.
