Flow Faces Trust Crisis After Exploit and Rollback Plan

deBridge founder Alex Smirnov called on validators to halt transactions until a remediation plan is put in place for affected users. Separately, Trust Wallet confirmed that malicious code embedded in its Chrome extension led to approximately $7 million in stolen assets across multiple blockchains, prompting the wallet provider to launch a formal compensation process. Binance founder Changpeng Zhao said that all affected losses will be covered.

Flow Exploit Fallout Grows

Alex Smirnov, founder of cross-chain bridge provider deBridge, publicly urged validators on the Flow blockchain to halt transaction processing until a clear remediation plan is established for users affected by the network’s controversial rollback proposal. The call was made in the aftermath of a $3.9 million exploit that happened on Dec. 27, when an attacker took advantage of a vulnerability in Flow’s execution layer and siphoned funds off the network through multiple cross-chain bridges.

The rollback plan was introduced as an emergency response to the exploit, but triggered widespread concern across the Flow ecosystem. Smirnov warned that the rollback created confusion around user balances, particularly for those who bridged assets out of Flow during the affected window and now face the possibility of doubled or mismatched balances. As one of Flow’s primary bridge providers, deBridge was directly exposed to these inconsistencies, which led to Smirnov’s call for better transparency and coordination from the Flow Foundation.

Despite the appeal, Flow validators have not yet been able to respond. Blockchain data shows that Flow remained stalled at block height 137,385,824 since late Saturday night, even as the Flow Foundation indicated that the network was expected to restart within four to six hours. 

So far, the market reaction has been severe. The FLOW token dropped by roughly 42% since the exploit, according to data from CoinCodex. The controversy was further complicated by mixed messaging from ecosystem stakeholders. 

In October, Dapper Labs—the creator of Flow—said a revised recovery plan would eliminate the need for a rollback entirely, preserving legitimate user activity while restoring network operations. However, critics argue that the damage to confidence had already been done. Smirnov described the rollback decision as rushed and said ecosystem partners were not properly notified, and warned that rollbacks can cause cascading issues for bridges, custodians, exchanges, and users who acted in good faith.

Gabriel Shapiro, general counsel at Delphi Labs, criticized Flow’s approach by suggesting it effectively creates unbacked assets and shifts the burden of mitigation onto bridges and issuers. While Dapper Labs has insisted that no user balances—including its own treasury—were affected, skepticism remains.

Flow once attracted a lot of backing, and even secured $725 million in funding from firms including Andreessen Horowitz and Union Square Ventures. Today, however, the network has just $85.5 million in total value locked, and FLOW has slipped outside the top 300 cryptocurrencies by market capitalization.

Trust Wallet to Reimburse Users

Another crypto-related company is trying to recover after a recent exploit. Trust Wallet announced the launch of a formal compensation process for users that were impacted by a recent security incident involving its Chrome browser extension, following the discovery of malicious code embedded in version 2.68 of the software. The issue was identified two days before the announcement, after reports surfaced that user funds were being drained shortly after an update released on Dec. 24.

Affected users are now able to submit claims through an official support form hosted on Trust Wallet’s website. The claims process requires users to provide details including their email address, country of residence, compromised wallet addresses, the attacker’s receiving addresses, and relevant transaction hashes. Trust Wallet said it is committed to compensating all users impacted by the incident.

According to Trust Wallet, roughly $7 million in digital assets were stolen across multiple blockchains, including Bitcoin, Ethereum, and Solana. Blockchain security firm PeckShield reported that more than $4 million of the stolen funds had already been funneled through centralized exchanges like ChangeNOW, FixedFloat, and KuCoin.

Changpeng Zhao, founder of Binance, which acquired Trust Wallet in 2018, confirmed publicly that all losses would be covered. Zhao stated on X that user funds remain “SAFU.”

The incident was first flagged publicly on Christmas Day by on-chain investigator ZachXBT, who warned that multiple Trust Wallet users were reporting drained balances shortly after the Chrome extension update. Trust Wallet issued a fix in version 2.69 on Dec. 25. CEO Eowyn Chen later explained that users who accessed the extension before Dec. 26 at 11 a.m. UTC were potentially affected. 

The company’s investigation determined that a leaked Chrome Web Store API key was used to publish the compromised extension, bypassing internal release controls. Security firm SlowMist found that the malicious code harvested wallet seed phrases using a modified open-source analytics library. Trust Wallet confirmed that mobile app users and users of other browser extensions were not impacted.