Flow Confirms Execution Layer Exploit

The Flow Foundation has confirmed a real and material security incident on the Flow network.

On December 27, 2025, an attacker exploited a vulnerability in Flow’s execution layer, successfully moving approximately $3.9 million in assets off-network before validators executed a coordinated network halt. The confirmation was published directly by the Flow Foundation in an official update on X.

Critically, the exploit did not access user wallets or balances. The Foundation stated clearly that all user deposits remain intact, and no customer funds were compromised. The attack targeted execution mechanics rather than custody or account-level access.

Once suspicious activity was detected, validators acted in coordination to halt the network, preventing further movement of funds and isolating the exploit. The incident is now classified as contained, with remediation underway.

How The Attacker Moved Funds

Following containment, the Foundation’s security team mapped the attacker’s exit path in detail.

As of the latest confirmed data, approximately $3.9 million in assets successfully exited the Flow network. The attacker routed funds primarily through a series of cross-chain bridges, including Celer, deBridge, Relay, and Stargate. These bridges served as the initial off-ramps before assets were further dispersed.

The attacker wallet has been identified and flagged, and real-time monitoring is ongoing. According to the Foundation, the stolen funds are currently being laundered through THORChain and Chainflip, two cross-chain liquidity protocols frequently used to obscure transaction trails.

In response, freeze requests have been submitted to major stablecoin issuers and centralized platforms, including Circle, Tether, and multiple large exchanges. Forensic analysis remains active as investigators continue tracing fund movements and coordinating with external partners.

Despite the seriousness of the breach, the Foundation emphasized that the confirmed amount exited is manageable and does not threaten network solvency or user funds.

Containment And Network Halt

Containment measures were decisive.

Validators executed a coordinated network halt, effectively cutting all exit paths and preventing any additional unauthorized activity. According to the Foundation, containment is now complete, and no further exploit activity is possible under the current network state.

The network remains in a read-only mode, ensuring data integrity while remediation is finalized. This approach prioritizes safety over speed, a decision the Foundation has repeatedly reinforced throughout its updates.

Remediation is actively in progress, with engineering teams focused on eliminating the root cause of the exploit and validating a secure restart path.

Restart Timeline And Validation Process

The Flow Foundation has laid out a clear restart plan, though with firm guardrails.

A protocol-level fix has already been developed and is currently entering final validation. The initial target for restarting the network is within 4 to 6 hours, contingent on successful testnet validation.

The Foundation has committed to a transparent update cadence:

•  Next status update: Within 2 hours
•  Target restart window: 4–6 hours (pending validation)
•  Full technical post-mortem: Within 72 hours

Importantly, the network will not restart until the fix has been fully validated. There will be no partial reactivation or rushed ingestion.

Updates will continue every two hours until the restart process is complete.

Market Reaction And FLOW Price Impact

While user funds remain safe, markets reacted swiftly.

Yesterday, the price of FLOW dropped sharply, falling from $0.17 to a low of $0.079, marking a 24-hour decline of 42.61%. At the time of writing, FLOW has recovered modestly and is trading around $0.12, though volatility remains elevated.

The price action reflects a familiar pattern. Even when user funds are unaffected, confirmed network exploits introduce uncertainty. Liquidity thins. Risk premiums widen. And short-term sellers move first.

This reaction was amplified by the temporary network halt and the uncertainty surrounding restart timing, even as the Foundation reiterated that user balances were never at risk.

Extended Coordination With Ecosystem Partners

In a follow-up update, the Flow Foundation announced an extended coordination and synchronization phase, citing the need to align with the broader ecosystem before restarting normal operations.

Flow is deeply integrated with cross-chain bridges, exchanges, indexers, and infrastructure providers. Restarting the network without ensuring full downstream alignment could lead to state mismatches, data inconsistencies, or service disruptions.

To avoid these risks, the Foundation is actively deploying resources to help ecosystem stakeholders reset systems to a specific pre-exploit state. Two precise reference points have been provided:

•  Flow Cadence Height: 137,363,395
•  Flow EVM Height: 51,358,233

All critical partners must align to these checkpoints before ingestion resumes.

As of the latest update:

•  Validators: Ready (Mainnet 28 deployed)
•  Ingestion: Paused
•  Network State: Read-only

Validators are prepared to resume block production, but ingestion remains paused until synchronization is complete. The Foundation warned that resuming ingestion too early could cause downstream issues for users and applications.

As a result, the network will remain in read-only mode until all critical infrastructure providers confirm alignment.

The next official update is scheduled for 7:00 a.m. PT on December 28.

A Controlled Incident, Not A Solvency Event

While the exploit is serious, its scope matters.

This was not a user balance breach. It was not a custody failure. And it was not a threat to network solvency. The attack was limited, detected, contained, and disclosed transparently.

The coming days will be important. The technical post-mortem will provide clarity on execution-layer risks and the safeguards being implemented to prevent recurrence.

For now, the priority is stability. Safe restart. And restoring full functionality without introducing new risk.

The incident is confirmed. The response is active. And the network remains under control.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!