Flow Hit by $3.9M Execution Layer Exploit, Phase 1 Recovery Set

The Flow Foundation has confirmed a security incident that affected the Flow blockchain on December 27. According to the Foundation, an attacker exploited a vulnerability in Flow’s execution layer. They moved approximately $3.9 million in assets off the network. Validators detected the activity and executed a coordinated network halt shortly after the exploit. 

The halt severed all exit paths and prevented further unauthorized transactions. The Foundation stressed that the attack did not compromise existing user balances. All user deposits remain intact. Following the incident, Flow placed the network into a protected state. While engineers and validators assessed the scope of the exploit and prepared remediation steps.

Funds Tracked as User Balances Remain Secure

Flow’s security team, working with Find Labs, mapped the attacker’s exit routes and identified the primary wallet involved. The stolen funds moved mainly through cross-chain bridges. Including Celer, deBridge, Relay and Stargate, before reaching Ethereum. Investigators confirmed active laundering attempts through privacy-focused protocols such as THORChain and Chainflip. 

In response, freeze requests were submitted to major exchanges and stablecoin issuers, including Circle and Tether. Despite the complexity of the attack, the Foundation reiterated that the affected amount does not threaten network solvency. Crucially, the exploit did not access or alter existing user balances on Flow.

Network Enters Read-Only Mode During Remediation

After validator consensus, Flow deployed a protocol upgrade known as Mainnet 28. The network is currently online and producing blocks but remains in read-only mode. During this phase, general transaction ingestion stays paused while remediation steps undergo testing and validation. The Foundation explained that this pause allows ecosystem partners. Including bridges and exchanges, to synchronize with the restored ledger state. 

Restarting full operations before alignment could cause transaction failures or balance mismatches. Transactions submitted between approximately 11:25 PM PT on December 26. Also, the network halt at 5:30 AM PT on December 27. This must resubmit that once operations resume.

Phase 1 Recovery Set for 6:00 AM PT

Flow validators have now agreed on a phased recovery plan. Phase 1 is scheduled to begin at 6:00 AM Pacific Time. At that point, the Cadence environment will return to full operation for more than 99.9% of accounts. Accounts identified as recipients of fraudulently minted tokens will remain temporarily restricted as a precaution. Meanwhile, the EVM environment will stay in read-only mode until further remediation is completed. The Foundation plans to publish a full technical post-mortem within 72 hours. Additional updates will follow as Flow moves through later recovery phases and restores full functionality across its ecosystem.