Significant Exploit on Flow Blockchain
In the wake of a significant exploit that drained funds from the Flow blockchain, Alex Smirnov, the founder of deBridge, is calling on validators to pause transaction processing until a solid remediation strategy is created for affected users. The exploit, which took place on December 27, led to the theft of approximately $3.9 million by exploiting a vulnerability in Flow’s execution framework, prompting the introduction of a controversial rollback plan intended as an emergency response.
Concerns Over Rollback Plan
This rollback plan has caused considerable unrest within the Flow ecosystem as it raises concerns regarding discrepancies in user balances. During this turmoil, users who transferred assets out of the Flow network might find themselves facing inaccurate or duplicated balances due to the rollback initiative. Smirnov highlighted the need for increased transparency and collaboration from the Flow Foundation to ease the confusion, especially since deBridge serves as a primary bridge service for the network.
Flow validators, however, have yet to respond to Smirnov’s appeal, with blockchain records indicating that the network remained halted at block height 137,385,824 since late Saturday. Although the Flow Foundation projected a network reactivation within a few hours, the market impact has been dramatic, with the FLOW token plummeting approximately 42% following the exploit, as reported by CoinCodex.
Inconsistent Messaging and Community Skepticism
Further complicating the situation, the messaging from stakeholders within the ecosystem has been inconsistent. In October, Dapper Labs, the creator of Flow, had indicated that a modified recovery strategy would negate the need for a rollback, thus safeguarding legitimate user activities and restoring network functionalities. Critics have, however, raised doubts about the overarching impact of the rollback on user confidence. Smirnov labeled the plan as hasty and expressed concerns that stakeholders were inadequately informed, asserting that such rollbacks could lead to wider issues for bridges, custodians, and exchanges.
Legal insights from Gabriel Shapiro, general counsel at Delphi Labs, critiqued the Flow approach as one that involuntarily transitions risk onto bridges and issuers while creating assets lacking adequate backing.
Despite Dapper Labs’ stance that no user balances—including their treasury—were affected, skepticism persists within the community. Flow, which once attracted significant investor interest, including $725 million from notable firms like Andreessen Horowitz and Union Square Ventures, has seen its total value locked plummet to just $85.5 million, causing it to drop below the top 300 cryptocurrencies.
Trust Wallet Security Breach
In a related scenario, Trust Wallet has also been in the spotlight following a security breach tied to its Chrome browser extension. It revealed a launch of a formal claims process after users reported issues with drained funds due to malicious code discovered in the extension’s version 2.68. The security hole was detected shortly after a software update on December 24, leading to the theft of around $7 million worth of assets spread across various blockchains, including Bitcoin, Ethereum, and Solana.
Affected users can now submit claims through Trust Wallet’s official support channel by providing necessary details like their compromised wallet addresses and relevant transaction data. Trust Wallet has assured that it is keen on compensating all users impacted by the problem. Following the incident, it was identified that over $4 million of the stolen funds were laundered through centralized exchanges like ChangeNOW and KuCoin. Binance’s founder, Changpeng Zhao, reaffirmed that all incurred losses would be compensated, emphasizing that user assets remain secure.
The issue came to light publicly on Christmas Day, with on-chain investigator ZachXBT first reporting the suspicious activity. Trust Wallet managed to roll out an updated version, 2.69, to address the issue shortly after, with the company’s CEO clarifying that the compromised extension affected only those who accessed it before December 26, 11 a.m. UTC. The investigation revealed that the exploited API key used to publish the faulty extension had bypassed internal controls, and security firm SlowMist found that the malicious code was able to sift through wallet seed phrases via a modified open-source analytics library. Trust Wallet confirmed that its mobile application and users of other browser extensions remained unaffected by the breach.
