Flow released a technical review report on security incidents

Flow network has encountered an attack targeting the Cadence virtual machine type confusion vulnerability, resulting in illegal token issuance. The attacker exploited a complex "three-part vulnerability chain" to bypass resource linearity guarantees, disguising resource objects as structs for duplication. The incident caused approximately $3.9 million in actual economic losses, with funds flowing out through cross-chain bridges such as Celer and deBridge.

According to Flow monitoring, the attacker created a total of 87.96 billion FLOW and various tokens, of which 1.094 billion FLOW were transferred to centralized exchanges. Thanks to timely shutdowns by validators and cooperation with OKX, Gate.io, MEXC, and others, about 98.7% of the illegal assets have been frozen on-chain or at exchanges, and approximately 484 million FLOW have been destroyed. The network has recovered through an "isolation recovery plan" on December 29, and a comprehensive patch covering parameter validation, runtime checks, and contract deployment logic has been deployed.