Flow details $3.9M exploit after Cadence flaw allowed token duplication

Quick Breakdown 

• A Cadence runtime flaw allowed token duplication, leading to $3.9M in confirmed losses.
• No user balances were drained; most counterfeit assets were frozen before liquidation.
• Flow has patched the issue and rolled out tighter security and monitoring measures.

The Flow Foundation has released a technical post-mortem explaining a protocol-level exploit that allowed an attacker to counterfeit tokens on the network, causing an estimated $3.9 million in losses before the incident was contained.

Flow Network Exploit Post-mortem⁰
On December 27, 2025, an attacker exploited a vulnerability in the Flow network to counterfeit tokens, extracting approximately $3.9 million USD across bridges. No existing user balances were accessed or compromised. The attack duplicated assets…

— Flow.com (@flow_blockchain) January 6, 2026

The exploit, which occurred on December 27, stemmed from a flaw in Flow’s Cadence runtime that allowed certain assets to be duplicated instead of properly minted. This bypassed supply controls but did not involve draining or accessing existing user balances.

Validators identified the malicious activity and coordinated a network halt within six hours of the first exploit transaction. During the pause, the blockchain was placed in a read-only state to prevent further asset duplication, while major exchange partners froze most counterfeit tokens before they could be sold.

Flow said normal operations resumed two days later following an “isolated recovery” process that preserved legitimate transaction history and enabled the recovery and permanent destruction of fake assets through governance approval.

The Foundation stressed that no user funds were stolen, as the exploit involved duplication rather than removal of assets. A small number of accounts that interacted with counterfeit tokens were temporarily restricted, while more than 99% of users retained full access throughout the recovery.

Security patch deployed as Flow tightens safeguards

While the attacker created a large volume of counterfeit tokens onchain, Flow said most were contained or frozen before liquidation could occur.

The underlying vulnerability has since been patched, with the Foundation introducing stricter runtime checks, expanded regression testing, and enhanced monitoring tools. Flow is also working with forensic specialists and law enforcement, while committing to stronger bug-bounty and security hardening programs going forward.

Flow’s NFT-era rise and post-hack market pressure

Flow was launched by Dapper Labs in 2019 to support consumer-focused blockchain applications, gaining early traction through NBA Top Shot, which helped push the FLOW token above $40 during the 2021 NFT boom.

The project raised roughly $725 million in 2022 from investors, including Andreessen Horowitz and Union Square Ventures, but momentum slowed as NFT activity declined. FLOW has since dropped outside the top 300 cryptocurrencies by market cap.