The Flow Foundation has confirmed a security incident impacting the Flow blockchain on Dec. 27, after an attacker exploited a vulnerability in the network’s execution layer. Approximately $3.9 million in assets were moved off the network before validators detected the suspicious activity and initiated a coordinated network halt.
The halt immediately cut off all exit routes, preventing any further unauthorized transactions. The Foundation emphasized that the exploit did not affect existing user balances and that all deposits remain secure. Following the incident, the network was placed into a protected state while engineers and validators assessed the breach and prepared remediation measures.
Funds tracked as user balances remain secure
Flow’s security team, in collaboration with Find Labs, traced the attacker’s exit paths and identified the primary wallet involved in the exploit. Investigators found that the stolen funds were routed primarily through cross-chain bridges — including Celer, deBridge, Relay, and Stargate — before arriving on Ethereum.
The team also confirmed ongoing laundering attempts using privacy-focused protocols such as THORChain and Chainflip.
In response to the incident, freeze requests were submitted to major exchanges and stablecoin issuers, including Circle and Tether. Despite the sophistication of the exploit, the Flow Foundation emphasized that the loss does not pose a threat to network solvency. Importantly, the attack did not access or modify existing user balances on Flow.
Network enters read-only mode during remediation
Following validator consensus, Flow deployed a protocol upgrade known as Mainnet 28. The network is now online and producing blocks but is operating in a read-only mode. During this phase, general transaction processing remains paused while remediation measures are tested and validated.
The Foundation said the temporary pause allows ecosystem partners — including bridges and exchanges — to align with the restored ledger state before full network functionality is resumed.
Restarting full operations before ecosystem alignment is complete could result in transaction failures or balance inconsistencies. Any transactions submitted between approximately 11:25 p.m. PT on Dec. 26 and the network halt at 5:30 a.m. PT on Dec. 27 will need to be resubmitted once normal operations resume.
Phase 1 recovery set for 6:00 a.m. PT
Flow validators have agreed on a phased recovery plan, with Phase 1 scheduled to begin at 6:00 a.m. Pacific Time. At that stage, the Cadence environment will return to full functionality for more than 99.9% of accounts. Accounts identified as recipients of fraudulently minted tokens will remain temporarily restricted as a precautionary measure.
The EVM environment will continue operating in read-only mode until additional remediation steps are completed. The Flow Foundation said it plans to release a full technical post-mortem within 72 hours, with further updates to follow as the network progresses through subsequent recovery phases and restores full ecosystem functionality.
