Flow Foundation details the December cyber attack involving counterfeit tokens

Flow Foundation has published a post-incident report regarding the protocol vulnerability exploit that occurred on 12/27, which allowed attackers to create counterfeit tokens on the network, causing approximately $3.9 million in damages. The root cause was traced to an error in the Cadence runtime environment, enabling assets to be duplicated instead of minted, thereby bypassing supply control without affecting user balances.

Validators coordinated to temporarily pause the network for six hours, putting the system into read-only mode to prevent further spread. Most counterfeit tokens were frozen before being sold. The network was restored after two days following an isolated recovery plan, and the counterfeit tokens were recovered and burned through governance mechanisms.

Flow confirmed that no accounts lost funds, and the vulnerability has been patched, with enhanced security checks and an expanded bug bounty program. However, following the incident, the FLOW token price dropped sharply by nearly 40% before a slight recovery.