The Flow Foundation on Tuesday published a technical post-mortem detailing a protocol-level exploit that occurred on Dec. 27, when an attacker was able to counterfeit tokens on the network, resulting in about $3.9 million in confirmed losses before the exploit was contained.

According to the report, the attacker exploited a flaw in Flow’s Cadence runtime that allowed certain assets to be duplicated rather than minted, bypassing supply controls without accessing or draining existing user balances. Validators coordinated a network halt within six hours of the first malicious transaction, while exchange partners froze most counterfeit assets before they could be sold.

Flow said the temporary halt placed the network into a read-only mode to sever exit paths and prevent further duplication while the issue was investigated. Operations resumed two days later under an “isolated recovery” plan that preserved legitimate transaction history and authorized the recovery and permanent destruction of counterfeit assets through a governance-approved process.

The Flow Foundation, which supports the Flow network, said no existing user balances were compromised, as the exploit duplicated assets rather than removing funds from accounts. A limited number of accounts that interacted with counterfeit tokens were temporarily restricted as a precaution, while more than 99% of accounts retained full access during and after the recovery.

While the attacker generated a large volume of counterfeit tokens onchain, Flow said the vast majority were contained or frozen before liquidation.

The Foundation said it has since patched the underlying vulnerability, added stricter runtime checks and expanded regression testing to prevent similar exploits. It also is working with forensic partners and law enforcement and plans to strengthen monitoring and bug-bounty programs as part of broader security hardening.

Related: NFTs shifted to utility and culture as price faded in 2025

Flow’s post-NFT downturn

Dapper Labs, the creators of the non-fungible token project CryptoKitties, announced the development of Flow in September 2019 as a new layer 1 blockchain designed to address scalability challenges facing consumer applications such as games and digital collectibles.

Early success with NBA Top Shot, an NFT platform for trading officially licensed NBA video highlights, helped bring mainstream attention to the Flow blockchain in 2020 and 2021. Against this backdrop, the network’s FLOW token surged past $40 in 2021, according to data from CoinGecko.

Flow’s momentum carried into 2022, where the project raised about $725 million from investors, including Andreessen Horowitz (a16z) and Union Square Ventures, to support ecosystem development.

As activity across the NFT market cooled in the years that followed, the FLOW token also lost momentum and has since fallen outside the top 300 cryptocurrencies by market capitalization.

The decline accelerated following the Dec. 27 hack, when FLOW plunged by around 40% over five hours.

The token later slid to a low of $0.075 on Jan. 2 before beginning to recover. It was trading near $0.10 at the time of writing, up about 16% over the past 24 hours, according to Cointelegraph data.

Magazine: Big questions: Would Bitcoin survive a 10-year power outage?