Fake Listings Exploitation in December resulted in a $3.9M fake token loss
The Flow Foundation published a technical post-mortem on Tuesday, detailing a protocol-level exploit that took place on December 27, when an attacker was able to fake signals on the network, causing about $3.9 million in confirmed losses before the exploit was caught.
According to the report, the attacker exploited a flaw in Flow's Cadence runtime to cause certain assets to be duplicated instead of produced, bypassing provisioning controls without accessing or deleting existing users' balances. Verifiers coordinated a network shutdown within six hours of the first malicious transaction, while exchange partners blocked most of the fake assets before they were sold.
Flow said the temporary shutdown put the network in read-only mode to separate exit routes and prevent further redundancies while the issue is investigated. The operation resumed two days later with an “independent recovery” plan that allowed him to recover and permanently destroy counterfeit assets through an administratively approved process that preserved legitimate transaction history.
No existing user balances were compromised because the Flow Foundation, which supports the Flow network, seized duplicate assets rather than removing funds from accounts. Some accounts linked to fake tokens were temporarily restricted as a precaution, and over 99% of accounts regained full access during and after the recovery.
When an attacker generates a large amount of fake tokens on-chain, Flow says most of them are seized or frozen before liquidation.
For its part, the foundation said it has patched the underlying vulnerability, implemented stricter runtime checks, and expanded support testing to prevent similar exploits. It is also working with forensic partners and law enforcement, and plans to implement monitoring and bug bounty programs as part of broader security enhancements.
Related: NFTs turn to utility and culture as value fades in 2025
Flow post-NFT failure
Dapper Labs, the creators of the blockchain project CryptoCuts, announced in September 2019 the development of Flow as a new layer-1 blockchain designed to solve the scalability challenges facing consumer applications such as games and digital collectors.
Early success with NBA Top Shot, a series of officially licensed NBA video highlights, helped the NFT platform gain mainstream attention in 2020 and 2021. Against this background, the network flow simulation Network Flow Token will rise above $40 in 2021.
Flow Accelerated in 2022, the project has raised about $725 million from investors including Andreessen Horowitz (a16z) and Union Square Ventures to support the development of the ecosystem.
As activity in the NFT market cooled over the following years, the FLOW token lost momentum and fell out of the top 300 cryptocurrencies by market capitalization.
The decline was compounded following the December 27 hack, when Flow dropped nearly 40% in five hours.
The token slipped to a low of $0.075 on Friday before starting to recover. According to Cointelegraph data, it was trading close to $0.10 at the time of writing, up about 16% in the last 24 hours.
Magazine: The Big Questions: Will Bitcoin Survive a 10-Year Blackout?
