Flow released a technical review report on the security incident: the root cause is a type confusion vulnerability in Cadence during operation

Flow network has encountered an attack targeting the Cadence virtual machine type confusion vulnerability, resulting in illegal token issuance. The attacker exploited a complex "three-part vulnerability chain" to bypass resource linearity guarantees, disguising resource objects as structs for duplication. The incident caused approximately $3.9 million in actual economic losses, with funds flowing out through cross-chain bridges such as Celer and deBridge.

According to Flow monitoring, the attacker created a total of 87.96 billion FLOW and various tokens, of which 1.094 billion FLOW were transferred to centralized exchanges. Thanks to timely shutdowns by validators and cooperation with OKX, Gate.io, MEXC, and others, about 98.7% of the illegal assets have been frozen on-chain or at exchanges, and approximately 484 million FLOW have been destroyed. The network has recovered on December 29 through an "isolation recovery plan," and a comprehensive patch covering parameter validation, runtime checks, and contract deployment logic has been deployed.