Flow outlines December exploit that duplicated tokens, $3.9M in losses

The Flow Foundation on Tuesday published a technical post-mortem describing a protocol-level exploit on Dec. 27 that allowed an attacker to counterfeit tokens on the Flow network, resulting in about $3.9 million in confirmed losses before the incident was contained. According to the report, the attacker exploited a flaw in Flow’s Cadence runtime that allowed certain assets to be duplicated rather than minted, bypassing supply controls without accessing or draining existing user balances.

Validators coordinated a network halt within six hours of the first malicious transaction, while exchange partners froze most counterfeit assets before they could be sold. The temporary halt placed the network into a read-only mode to sever exit paths and prevent further duplication while the issue was investigated.

Operations resumed two days later under an "isolated recovery" plan that preserved legitimate transaction history and authorized the recovery and permanent destruction of counterfeit assets through a governance-approved process. Flow said no existing user balances were compromised; a limited number of accounts that interacted with counterfeit tokens were temporarily restricted and more than 99% of accounts retained full access during and after recovery.

Key Topics

Crypto, Flow Foundation, Cadence Runtime, Flow Token, Dapper Labs, Nba Top Shot