Flow Blockchain Restores Network After $3.9M Exploit

• Flow deployed Mainnet 28 fix; network now in read-only mode while validators and partners synchronize for safe restart.

• Exploit moved $3.9M via bridges and stablecoins, but user balances remained untouched and no further loss possible.

• Forensic teams track active laundering through Thorchain and Chainflip; exchanges and stablecoins have freeze requests in place.

A critical security exploit hit the Flow blockchain on December 27, 2025, triggering action from the Flow Foundation. The breach allowed an attacker to move approximately $3.9 million in assets off-network through bridges and exchanges.

Fortunately, user balances remained safe. Flow’s engineering teams collaborated with validators and partners to halt the network and deploy a protocol fix. The network is now undergoing final synchronization before full operations resume.

The attack occurred in Flow’s execution layer and targeted assets during a short window between 11:25 PM PST on December 26 and 5:30 AM PST on December 27. During this period, unauthorized transactions left the network primarily through bridges such as Celer, Debridge, Relay, and Stargate.

Additionally, some funds moved via WBTC and stablecoins like PYUSD. The attacker’s Ethereum wallet, 0x2e…94e1, was quickly flagged. Freeze requests were submitted to major exchanges and stablecoin issuers to contain further losses.

Network Fix and Coordination Efforts

The Flow Foundation rapidly developed a protocol fix named Mainnet 28, which validators deployed successfully. Consequently, the network went online in a read-only state, producing blocks but pausing general transaction ingestion.

Validators and critical ecosystem partners, including bridges and centralized exchanges, are synchronizing to ensure ledger consistency. The Foundation emphasized that this synchronization window is essential to prevent transaction failures and guarantee accurate user balances.

Besides restoring integrity, the protocol fix removes unauthorized transactions from the ledger. Flow highlighted that legitimate user activity within the exploit window must be resubmitted after the restart. Node operators aim to complete the restart within hours, pending successful final validation. Additionally, the Foundation committed to publishing a full technical post-mortem within 72 hours.

Forensic Tracking and Active Laundering

FindLabs, working with Flow’s security teams, published detailed forensic tracking of the exploit. Approximately $3.9 million in assets left the network, with some actively routed through privacy-focused protocols like Thorchain and Chainflip.

Confirmed transactions include 297.69 ETH via Celer, 479.35 ETH via Debridge, 109.19 ETH direct withdrawals, and smaller transfers through Relay, Stargate, WBTC, and PYUSD. The Foundation confirmed no further unauthorized activity is possible after the network halt.