-640x358.jpg&w=1200&q=75)
The Flow Foundation has released a technical post-mortem on a December exploit that led to about $3.9m in losses.
The incident occurred on 27 December after an attacker exploited a protocol-level flaw in Flow’s Cadence runtime.
The flaw allowed assets to be duplicated rather than minted, bypassing supply controls without draining user balances.
Validators coordinated a network halt within six hours of the first malicious transaction.
Flow placed the blockchain into read-only mode to prevent further duplication and block exit routes.
Exchange partners froze most counterfeit tokens before they could be sold.
Operations resumed two days later under a governance-approved isolated recovery plan.
The process authorised the recovery and permanent destruction of counterfeit assets.
Flow said no legitimate user balances were compromised during the exploit.
More than 99% of accounts retained full access, while a small number were temporarily restricted as a precaution.
The Foundation said it has patched the vulnerability and added stricter runtime checks.