The Flow Foundation released a technical post-mortem on Tuesday detailing a protocol-level exploit that occurred on December 27, when an attacker successfully counterfeited tokens on the network, resulting in approximately $3.9 million in confirmed losses before the exploit was contained.
According to the reportThe attacker exploited a flaw in Flow’s Cadence runtime that allowed certain assets to be duplicated rather than created, bypassing provisioning controls without accessing or draining existing users’ balances. Validators coordinated a network shutdown within six hours of the first malicious transaction, while exchange partners froze most of the counterfeit assets before they could sell them.
Flow said the temporary shutdown placed the network in read-only mode to cut off egress paths and prevent further duplication while the issue was investigated. Operations resumed two days later under an “isolated recovery” plan that preserved legitimate transaction history and authorized the recovery and permanent destruction of counterfeit assets through a governance-approved process.
The Flow Foundation, which supports the Flow network, said no existing user balances were compromised because the exploit duplicates assets rather than removing funds from accounts. A limited number of accounts that interacted with counterfeit tokens were temporarily restricted as a precaution, while over 99% of accounts retained full access during and after recovery.
While the attacker generated a large volume of counterfeit tokens on-chain, Flow said the vast majority were contained or frozen before liquidation.
The Foundation said it has since fixed the underlying vulnerability, added stricter execution controls, and expanded regression testing to prevent similar exploits. The company is also working with forensic partners and law enforcement and plans to strengthen surveillance and bug bounty programs as part of a broader security boost.
Related: NFTs Shifted towards Utility and Culture as Prices Declined in 2025
The slowdown of Flow after NFT
Dapper Labs, the creators of non-fungible token project CryptoKitties, announcement the development of Flow in September 2019 as a new layer 1 blockchain designed to address the scalability challenges faced by consumer applications such as gaming and digital collectibles.
First successes with NBA Overhand Shotan NFT platform for exchanging officially licensed NBA video clips, helped bring mainstream attention to the Flow blockchain in 2020 and 2021. In this context, the network’s FLOW token exceeded $40 in 2021, according to data from CoinGecko.
Flow’s momentum continued into 2022, where the project raised approximately $725 million from investorsincluding Andreessen Horowitz (a16z) and Union Square Ventures, to support ecosystem development.
As the activity through the The NFT market cooled in the years since, the FLOW token has also lost momentum and has since fallen outside the top 300 cryptocurrencies by market capitalization.
The decline accelerated after the December 27 hack, when FLOW plunged about 40% in five hours.
The token then fell to a low of $0.075 on January 2 before starting to recover. It was trading near $0.10 at the time of writing, up about 16% in the past 24 hours, according to Cointelegraph data.
Review: Big Questions: Would Bitcoin Survive a 10-Year Power Outage?
