Flow Releases Technical Post-Mortem Report on Security Incident of December 27, 2025

Odaily News On December 27, 2025, the Flow network was attacked by exploiting a type confusion vulnerability in the Cadence virtual machine, leading to unauthorized token minting. The attacker utilized a complex "three-part vulnerability chain" to bypass resource linearity guarantees, disguising resource objects as structs for copying. The incident resulted in approximately $3.9 million in actual financial losses, with funds already transferred out via cross-chain bridges such as Celer and deBridge.

According to Flow's monitoring, the attacker minted a total of 87.96 billion FLOW tokens and various other tokens, of which 1.094 billion FLOW were transferred to centralized exchanges. Due to the timely shutdown by validators and collaboration with exchanges including OKX, Gate.io, and MEXC, approximately 98.7% of the illicit assets have been frozen on-chain or on exchanges, and about 484 million FLOW tokens have been destroyed. The network was restored on December 29 via an "Isolation Recovery Plan" and has now deployed comprehensive patches covering parameter validation, runtime checks, and contract deployment logic.