On December 27, 2025, the Flow blockchain experienced a security exploit that resulted in the loss of approximately $3.9 million in assets. The attacker exploited a vulnerability in the execution layer of the Flow blockchain, enabling the minting of unauthorized tokens, including FLOW, wrapped BTC, ETH, and stablecoins. These illicitly obtained funds were then moved off-network through various cross-chain bridges, such as Celer, deBridge, Relay, and Stargate, before validators could coordinate a network halt.

The initial response involved halting the network to prevent further losses. Validators proposed a rollback to a point before the exploit, which would have effectively erased several hours of transactions. This proposal triggered significant criticism from ecosystem partners, particularly bridge operators, who argued that it was rushed, poorly coordinated, and could inflict greater damage. Concerns included the potential for doubled balances for some users, unbacked assets on bridges, and the undermining of blockchain immutability and decentralization principles.

Faced with intense community and partner backlash, the Flow Foundation abandoned the rollback plan on December 29, 2025. Instead, an "isolated recovery plan" was adopted. This revised strategy involved restarting the network from the last sealed block before the halt, preserving legitimate transaction history. The plan included temporarily restricting accounts that received fraudulent tokens and using independent forensics to verify illicit assets before burning them on-chain via a validator-approved software upgrade.

The recovery process is being implemented in phases. The non-EVM (Cadence) environment was relaunched first, with the EVM initially in read-only mode. According to the Flow Foundation, over 99.9% of accounts were unaffected by the exploit. The network has entered Phase 1 recovery, with validators deploying fixes and coordination ongoing. Phase 2 involves remediation via token burns. Full EVM restoration and bridge resumptions will follow.

The incident caused the FLOW token to drop over 40%. The stolen assets were primarily bridged to Ethereum and Bitcoin and subsequently laundered through protocols like THORChain and Chainflip. Freeze requests were sent to issuers and exchanges.

The Flow Foundation's shift to community feedback has been noted as a positive example of responsive governance. However, the incident has raised questions about validator power in emergencies. The incident could exacerbate challenges in attracting total value locked (TVL) and institutional interest if confidence remains low. Conversely, a resilient recovery could demonstrate maturity.