Flow details Dec. exploit duplicating tokens, $3.9M loss
The Flow Foundation on Tuesday released a technical post-mortem on a Dec. 27 protocol exploit that enabled an attacker to create counterfeit tokens on the network, causing approximately $3.9 million in confirmed losses before the issue was contained.
According to the report, the incident stemmed from a flaw in Flow’s Cadence runtime that permitted certain assets to be duplicated rather than properly minted, circumventing supply controls without accessing or draining existing user balances. Validators coordinated a network halt within six hours of the initial malicious transaction, and exchange partners froze most counterfeit assets before they could be sold.
Flow said the temporary halt placed the network into read-only mode to cut off exit routes and stop further duplication while the vulnerability was investigated. Operations resumed two days later under an “isolated recovery” plan that preserved legitimate transaction history and, via a governance-approved process, authorized the recovery and permanent destruction of counterfeit assets.
The Foundation stated that no existing user balances were compromised because the exploit duplicated assets instead of removing funds from accounts. A small number of accounts that interacted with counterfeit tokens were temporarily restricted as a precaution, while more than 99% of accounts retained full access during and after the recovery.
While the attacker generated a significant quantity of counterfeit tokens on-chain, the Foundation said the vast majority were contained or frozen prior to liquidation. The underlying vulnerability has been patched, with stricter runtime checks and expanded regression testing implemented to mitigate similar risks. The organization is working with forensic partners and law enforcement and plans to enhance monitoring and bug-bounty programs as part of broader security measures.
Flow’s market backdrop and token performance
Dapper Labs, the company behind CryptoKitties, announced Flow in September 2019 as a new layer-1 blockchain aimed at addressing scalability challenges for consumer applications such as games and digital collectibles. Early traction with NBA Top Shot in 2020 and 2021 brought mainstream attention to the network, and Flow’s native token, FLOW, surpassed $40 in 2021, according to CoinGecko.
Flow’s momentum continued into 2022, when the project raised about $725 million from investors including Andreessen Horowitz (a16z) and Union Square Ventures to support ecosystem development.
As broader NFT activity cooled in subsequent years, FLOW lost momentum and fell outside the top 300 cryptocurrencies by market capitalization.
The decline accelerated after the Dec. 27 exploit, when FLOW dropped around 40% over five hours. The token later fell to a low of $0.075 on Jan. 2 before beginning to recover. It was trading near $0.10 at the time of writing, up about 16% over the past 24 hours, according to CoinGecko data.
Stay informed, read the latest news right now!
Disclaimer
The content on TrustsCrypto.com is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile, always do your own research before making decisions.
Some content may be assisted by AI and reviewed by our editorial team, but accuracy is not guaranteed. TrustsCrypto.com is not responsible for any losses resulting from the use of information provided.
