Security Breach on the Flow Blockchain
On December 27, the Flow blockchain experienced a significant security breach, detailed in a comprehensive post-incident analysis by the Flow Foundation. This incident uncovered a critical exploit at the protocol level, enabling an attacker to duplicate fungible tokens, resulting in an estimated loss of $3.9 million.
Details of the Attack
The report highlighted the attacker’s advanced technical skills, noting that they orchestrated the deployment of over 40 harmful smart contracts in a meticulous and strategic manner. The attack took advantage of a major defect in the Cadence execution layer, version 1.8.8, allowing the perpetrator to mask a normally non-copyable protected asset as a regular data structure, which could then be replicated.
In essence, the attacker was able to create duplicates of tokens instead of minting new ones, which is why user balances remained unaffected during the incident. In a timely response, Flow validators managed to halt the network within six hours of the attack’s initial execution. Moreover, funds that had already been transferred to centralized exchanges were frozen by the exchange platforms.
Impact on Exchanges and Recovery Efforts
The attacker had deposited about 1.094 billion fake FLOW tokens across several major exchanges. Of this amount, exchange partners including OKX, Gate.io, and MEXC successfully returned and destroyed 484,434,923 FLOW tokens. In addition, the Flow team has isolated 98.7% of the remaining counterfeit tokens, which are slated for destruction.
As the Flow Foundation continues to collaborate with other exchanges to retrieve remaining assets, it implemented a protocol-level safeguard to block all deposit addresses associated with the attackers, preventing the withdrawal, bridging, or transfer of the counterfeit tokens until they can be returned for dismantling.
Resolution and Market Response
The vulnerability exploited by the attacker has since been resolved, and the Flow network is operating normally. Developers opted for a strategy of isolated recovery, rather than undertaking a complete chain rollback, to preserve the integrity of legitimate transaction histories. This approach facilitates the approved governance process for destroying the counterfeit assets.
Following the incident, the FLOW token, which represents the blockchain’s native currency, has shown signs of recovery. After experiencing a dramatic 40% drop within five hours of the hack, falling to a low of $0.075 on January 2, FLOW rebounded and was trading at $0.1015, reflecting a 14% increase in the last day as the network resumed normal operations.
