Flow Security Incident Review: Type Confusion Vulnerability in Cadence Identified as Key Factor
BlockBeats News, January 7th, Folw released an attack event retrospective report, stating that the attacker exploited a Flow Network vulnerability to mint fake tokens, stealing approximately $3.9 million through a bridging attack. This attack did not access or leak any existing user balances. The attack duplicated assets but did not touch legitimately held assets, with the majority of the fake assets either stored on-chain before liquidation or frozen by exchange partners. Network validators have approved a decentralized governance action authorizing the permanent destruction of all fake assets. The network resumed operation on December 29th, is currently running smoothly, and all transaction history has been preserved.
The attacker sequentially deployed over 40 malicious smart contracts, leveraging a three-stage attack chain: 1) bypassing attachment import verification; 2) circumventing defense checks of built-in types; 3) exploiting a contract initializer semantic vulnerability. The root cause was a type confusion vulnerability in the Cadence runtime (v1.8.8), which has now been patched (v1.8.9 and higher versions). This vulnerability allowed the attacker to disguise protected assets (which should not be duplicable) as standard data structures (which are duplicable), bypassing runtime security checks and enabling token minting.
In addition to moving assets out of Flow, the attacker also attempted to deposit fake FLOW on several centralized exchanges, but due to the abnormal transaction volume and internal anti-money laundering protocols, multiple exchanges froze the deposit upon receipt. Approximately 50% of the fake FLOW deposits have been returned and destroyed by cooperating exchanges (such as OKX, Gate, MEXC), while the foundation continues to actively coordinate with other exchange platforms.
You may also like
Do you want to buy CRCL?
Wosh: Inflation has cooled in recent weeks, AI is reshaping the economy, and forward guidance has lost its necessity
The most secretive AI winner
Looking at Stripe's ambitions and the future of stablecoins from OUSD
From Pump.fun to Collector Crypt: Has Solana's income throne changed hands?
Dan Bin's latest speech: Don't miss out on a great era
Robinhood launches its own blockchain, no longer wanting to be a tenant on others' chains
Why Tokenized Stocks Are Booming in 2026 While Crypto Is Still Struggling
Former ByteDance employee's account: How I started with two Pinduoduo hard drives and made six times the profit with Seagate to achieve financial freedom?
MiCA reshuffle begins, Binance temporarily bids farewell to the EU
How does Gate redo "buying and selling stocks" from the cryptocurrency world to the stock market?
Visa and Mastercard join 140 giants to launch a new stablecoin, but the impact on the market landscape may still be limited
Circle CEO responds to OUSD's challenge: Stablecoins are a winner-takes-all business, and we will not slow down
Argentina vs Cape Verde: When a Record-Breaking Legend Meets an Unbreakable Underdog
WEEX exclusive pre-match analysis of Argentina vs Cape Verde, exploring Messi-led Argentina’s dominance and Cape Verde’s historic defensive breakout, with a breakdown of volatility, structure, and match dynamics.

