Flow fake token vulnerability exposed! 40% crash in 5 hours, losing $3.9 million

Flow Foundation discloses a protocol-level vulnerability on December 27 resulting in a loss of $3.9 million. Attackers exploited a Cadence flaw to duplicate assets rather than steal them, prompting validators to pause the network for 6 hours. FLOW plummeted 40% in 5 hours, from $40 in 2021 to $0.075. Created by Dapper Labs, Flow was once backed by a16z with $725 million in investment.

Analysis of the Protocol-Level Token Duplication Technical Vulnerability

On Tuesday, the Flow Foundation released a technical analysis report detailing the protocol-level vulnerability incident that occurred on December 27. Attackers exploited a flaw in Flow’s Cadence runtime environment that allowed them to duplicate certain assets instead of minting new ones, bypassing supply controls without access to or consumption of existing user balances.

This type of attack is extremely rare in blockchain security history. Traditional hacker attacks usually involve stealing private keys or exploiting smart contract bugs to transfer user assets, but Flow’s vulnerability allowed attackers to “copy” tokens out of thin air, similar to photocopying money with a copier. Since the attack duplicated assets rather than stealing funds from accounts, existing user balances were unaffected. This characteristic made the vulnerability difficult to detect initially, as users would not notice their wallet balances decreasing.

Within six hours of the first malicious transaction, validators coordinated to pause the network, and exchange partners froze assets before most of the counterfeit tokens were sold. Flow stated that this temporary shutdown put the network into read-only mode to cut off exit routes and prevent further data copying, while investigations were ongoing.

Two days later, operations resumed following an “isolation recovery” plan that preserved legitimate transaction records and authorized the recovery and permanent destruction of counterfeit assets through a management-approved process. Although the attacker generated a large number of fake tokens on-chain, Flow indicated that the vast majority of these counterfeit tokens had been controlled or frozen before liquidation. As a precaution, a small number of accounts that interacted with the counterfeit tokens were temporarily restricted, while over 99% of accounts maintained full access during and after recovery.

Timeline and Handling Process of the Flow Vulnerability Incident

December 27 First Attack: Hacker exploits Cadence flaw to begin token duplication

6 Hours Network Pause: Validators coordinate to switch to read-only mode, cutting attack vectors

Emergency Exchange Freeze: Partners freeze assets before most counterfeit tokens are sold

Two Days Later Isolation Recovery: Legitimate transactions preserved, counterfeit assets destroyed, 99% of accounts unaffected

From $40 to $0.075: A Long Decline

(Source: CoinGecko)

Dapper Labs, creator of the non-fungible token project CryptoKitties, announced in September 2019 the development of Flow, a new Layer 1 blockchain designed to address scalability challenges faced by consumer applications like gaming and digital collectibles. The early success of NBA Top Shot—a platform for trading officially licensed NBA highlight NFTs—helped bring mainstream attention to the Flow blockchain in 2020 and 2021.

Against this backdrop, according to CoinGecko data, the network’s FLOW token surged above $40 in 2021. Flow’s momentum continued into 2022, with the project raising approximately $725 million from investors including Andreessen Horowitz (a16z) and Union Square Ventures to support ecosystem development. This top-tier institutional backing once positioned Flow as a leader in NFT infrastructure.

As the NFT market cooled in subsequent years, FLOW’s momentum waned, and its market cap fell out of the top 300 cryptocurrencies. After the December 27 attack, FLOW’s price declined rapidly, dropping about 40% within five hours. The token hit a low of $0.075 on January 2 but then began to recover. According to Cointelegraph data, as of press time, its trading price was close to $0.10, up approximately 16% in the past 24 hours.

From $40 to $0.075, a decline of over 99.8%, this collapse is extreme even by crypto standards. Flow’s downfall reflects the broader difficulties faced by the NFT infrastructure sector, where projects lacking real-world utility are quickly abandoned once speculative hype subsides.

Vulnerability Fixes and Future Security Enhancements

The Foundation stated that they have patched the underlying flaw, added stricter runtime checks, and expanded regression testing to prevent similar attacks. They are also working with forensic partners and law enforcement, planning to strengthen monitoring and bug bounty programs as part of broader security reinforcement measures.

This comprehensive security response is necessary but also exposes early design flaws in Flow. The Cadence language, which is at the core of Flow’s smart contracts, had a vulnerability allowing asset duplication, revealing gaps in code auditing and security testing. For a blockchain that has been operational for years and handled hundreds of millions of dollars in transactions, such a protocol-level flaw is rare and serious.

Enhancing bug bounty programs is a positive signal, but investor confidence has been damaged. Flow needs to rebuild trust through ongoing security audits, transparent incident reporting, and a track record of zero vulnerabilities. In the highly competitive Layer-1 market, a major security incident could be fatal.