Flow security incident recap: Type confusion vulnerability during Cadence runtime was the key cause.

On January 7th, Folw released a report reviewing the attack, stating that attackers exploited a vulnerability in the Flow network to forge tokens and steal approximately $3.9 million via bridging. The attack did not access or leak any existing user balances. While the attack copied assets, it did not affect legitimately held assets; the vast majority of the forged assets were stored on-chain or frozen by exchange partners before being liquidated. Network validators have approved a decentralized governance action authorizing the permanent destruction of all forged assets. The network was restored on December 29th and is currently operating normally; all transaction history has been saved.

Attackers deployed over 40 malicious smart contracts sequentially, exploiting a three-part attack chain: 1) bypassing attachment import verification; 2) bypassing built-in type defense checks; and 3) exploiting a semantic vulnerability in the contract initializer. The root cause was a type confusion vulnerability in the Cadence runtime (v1.8.8), which has since been patched (v1.8.9 and later). This vulnerability allowed attackers to disguise protected assets (which should not be replicable) as standard data structures (which can be replicated), thereby bypassing runtime security checks and enabling token forgery.

In addition to removing assets from Flow, the attackers also attempted to deposit counterfeit FLOW tokens into multiple centralized exchanges. However, due to the unusually large transaction volume and internal anti-money laundering protocols, several exchanges froze the deposits upon receipt. Approximately 50% of the counterfeit FLOW deposits have been returned and destroyed by the cooperating trading platforms (such as OKX, Gate, and MEXC), and the foundation is still actively coordinating with other trading platforms.