coin-img-WOTAMALAILEWOTAMALAILE+196.60%coin-img-BREVBREV-6.98%coin-img-PEPEPEPE-6.57%coin-img-LIGHTERLIGHTER-3.05%coin-img-BONKBONK-3.73%coin-img-HYPEHYPE-2.76%coin-img-AAVEAAVE-1.26%coin-img-SUISUI+0.03%coin-img-WOTAMALAILEWOTAMALAILE+196.60%coin-img-BREVBREV-6.98%coin-img-PEPEPEPE-6.57%coin-img-LIGHTERLIGHTER-3.05%coin-img-BONKBONK-3.73%coin-img-HYPEHYPE-2.76%coin-img-AAVEAAVE-1.26%coin-img-SUISUI+0.03%coin-img-WOTAMALAILEWOTAMALAILE+196.60%coin-img-BREVBREV-6.98%coin-img-PEPEPEPE-6.57%coin-img-LIGHTERLIGHTER-3.05%coin-img-BONKBONK-3.73%coin-img-HYPEHYPE-2.76%coin-img-AAVEAAVE-1.26%coin-img-SUISUI+0.03%coin-img-WOTAMALAILEWOTAMALAILE+196.60%coin-img-BREVBREV-6.98%coin-img-PEPEPEPE-6.57%coin-img-LIGHTERLIGHTER-3.05%coin-img-BONKBONK-3.73%coin-img-HYPEHYPE-2.76%coin-img-AAVEAAVE-1.26%coin-img-SUISUI+0.03%
user-avatar
Vignesh Karunanidhi

Flow details $3.9 million exploit, Cadence type confusion bug, and recovery steps in January 2026 report

On January 6, 2026, Flow released a post‑incident report explaining how a $3.9 million exploit was carried out through a type confusion vulnerability in the Cadence runtime that enabled counterfeit FLOW token creation. The attacker began executing about 40 malicious contracts on December 26, 2025, and network validators halted the chain less than six hours after the initial malicious transaction. Flow stated that existing user balances were not accessed, while exchanges received 1.094 billion fake FLOW and later returned 484,434,923 tokens for destruction, with most of the remaining supply isolated onchain.
Selected
FLOW
FLOW+2.22%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.