An attacker exploited a vulnerability in the execution layer and moved roughly 3.9 million dollars in assets off-network before validators coordinated a network halt. Critically, the exploit did not touch existing user balances.
Table of Contents
All deposits remained intact, and the Foundation has since mapped the exit path while working closely with exchanges, bridge operators, and forensic teams to contain and remediate the situation.
Immediate Containment and Remediation
The recent incident on the Flow blockchain underscores the ever-present need for robust security measures in the rapidly evolving world of blockchain networks. Flow, a platform known for hosting popular applications like NBA Top Shot and a variety of NFT platforms, relies on numerous bridges and infrastructure providers. Coordinated responses, like the one enacted here, are becoming increasingly standard as activity across different blockchains expands. Cross-chain bridges, for example, facilitated over 20 billion dollars in volume last quarter alone, making swift incident response crucial for maintaining user trust.
This is the verified update from the Flow Foundation.
INCIDENT CONFIRMED
On December 27, 2025, an attacker exploited a vulnerability in Flow’s execution layer and moved approximately $3.9M in assets off-network before validators executed a coordinated halt.
Critically, this… https://t.co/KEXzo0w8as
— Flow.com (@flow_blockchain) December 27, 2025
In the wake of the attack, Flow validators swiftly halted network activity to effectively cut off all potential exit routes for the stolen funds. The Foundation reported that the compromised assets primarily moved through bridges including Celer, Debridge, Relay, and Stargate, with subsequent laundering activity tracked through Thorchain and Chainflip. Immediate freeze requests were submitted to major stablecoin issuers and exchanges in an effort to prevent further unauthorized transfers.
UPDATE: ECOSYSTEM COORDINATION PHASE
The Foundation is coordinating with critical infrastructure partners to finalize the optimal restart pathway.
CURRENT STATUS
→ Remediation plan has been circulated with ecosystem partners and is under evaluation
→ This process includes…— Flow.com (@flow_blockchain) December 28, 2025
The network fix, designated Mainnet 28, was developed and deployed by validators, successfully restoring the ledger to a state prior to the exploit. Users who submitted transactions between 11:25 PM PST on December 26 and the network halt at 5:30 AM PST on December 27 may need to resubmit their activity. Importantly, all other user balances and assets remain secure. The phased restoration approach prioritizes a safe resumption of operations, beginning with a read-only state, followed by full Cadence remediation, and ultimately EVM re-enablement.
Coordinated Ecosystem Recovery
Flow’s extensive integrations necessitate careful synchronization with its ecosystem partners before normal transaction processing can resume. Bridges, exchanges, and decentralized applications (dApps) must align with the restored ledger to avoid inconsistencies. The attack did not affect over 99.9% of accounts. The Flow blockchain team is actively identifying and destroying fraudulent assets through auditable on-chain transactions, and accounts impacted by the attack will regain access immediately following verification.
We have reviewed the latest recovery plan proposed by the @flow_blockchain Foundation and core protocol team. The revised approach preserves all legitimate user activity—meaning no rollback is required—and provides a clear path to restoring network operations.
Dapper Labs fully… https://t.co/wqBXFtyv09
— Dapper Labs (@dapperlabs) December 29, 2025
This incident underscores a broader trend within the blockchain space. As networks become increasingly interconnected, security breaches can create ripple effects across multiple platforms. The 2022 Ronin bridge exploit, which involved 625 million dollars, serves as a stark reminder of the critical role of rapid coordination and transparent communication. Flow’s commitment to transparent updates and its phased remediation plan offer a valuable model for other ecosystems to emulate.
