Flow released its technical recap report on the security incident on December 27, 2025.
TL;DR
Flow network was attacked on Dec 27, 2025, exploiting a Cadence VM vulnerability to issue illegal tokens, causing $3.9M in losses. Validators froze 98.7% of assets and destroyed 484M FLOW tokens, with the network restored on Dec 29 after patches.
Tags
Odaily Odaily reported on December 27, 2025, that the Flow network suffered an attack targeting a Cadence virtual machine type obfuscation vulnerability, resulting in the illegal issuance of tokens. The attackers exploited a complex "three-part vulnerability chain" to bypass resource linearity guarantees, disguising resource objects as structures for duplication. The incident caused approximately $3.9 million in actual economic losses, with funds flowing out through cross-chain bridges such as Celer and deBridge.
According to Flow monitoring, the attackers created a total of 87.96 billion FLOW tokens and various other tokens, of which 1.094 billion FLOW tokens were transferred to centralized exchanges. Thanks to the validators' timely shutdown and cooperation with OKX, Gate.io, and MEXC, approximately 98.7% of the illicit assets have been frozen on-chain or on exchanges, and approximately 484 million FLOW tokens have been destroyed. The network was restored on December 29th through the "Isolation Recovery Plan," and comprehensive patches covering parameter validation, runtime checks, and contract deployment logic have been deployed.