TL;DR
- Flow faced a $3.9M exploit on Dec. 27; validators halted the chain as FindLabs said user balances were untouched and freezes were requested.
- Developers proposed a checkpoint rollback, but deBridge’s Alex Smirnov said partners were blindsided and warned bridge edge cases could create doubled balances.
- After FLOW fell over 40% and TVL swung from $107M to $73.8M then $97.2M, Flow dropped the rollback for token burn and a phased restart.
Flow’s plan to unwind a $3.9 million exploit has put governance, not code, at the center of its crisis response. On Dec. 27, an attacker exploited a vulnerability in Flow’s execution layer and moved roughly $3.9 million across multiple cross-chain bridges before validators halted the chain. Flow Foundation and forensic partner FindLabs said existing user balances were not accessed, and that exit routes were mapped with freeze requests sent to major exchanges and stablecoin issuers. Investigators also identified the attacker’s Ethereum wallet. Immutability suddenly became negotiable under stress, reigniting a debate partners thought was settled.
FLOW NETWORK INCIDENT: Forensic Fund Tracking Report
FindLabs is publishing the following analysis in collaboration with the
Flow Foundation's security and engineering teams, who conducted the
primary forensic investigation.• INCIDENT CONFIRMATION
On December 27, 2025, an…
— Find Labs (@findlabs) December 27, 2025
Partner Backlash Forces a Pivot
Within hours, developers proposed rolling back to a checkpoint prior to the exploit, erasing transactions in a several-hour window and forcing users and infrastructure providers to resubmit activity. The Foundation framed it as neutralizing unauthorized minting, yet key ecosystem partners said they were blindsided, arguing they were not consulted. deBridge founder Alex Smirnov said he learned of the decision only after it was announced publicly. He warned of doubled balances for users who bridged out and losses for those who bridged in, urging validators to pause until custodians like LayerZero could handle affected USDC transfers.
Operational uncertainty then spilled into market optics. Flowscan showed the network stalled at a fixed block height for an extended period, even as the Foundation said a restart was expected within hours. After the exploit and rollback announcement, the FLOW token fell more than 40%, and some centralized exchanges temporarily suspended transactions. DefiLlama data showed total value locked dropping from $107 million to $73.8 million before rebounding to about $97.2 million, a 31% recovery in 24 hours. Delphi Labs counsel Gabriel Shapiro warned rollbacks could push losses onto bridges and issuers by creating unbacked assets.
I woke up to the news about Flow’s decision to roll back the chain.
Despite Flow stating that they are “in a mandatory synchronization window with critical ecosystem partners (bridges, CEXs, DEXs)”, I can confirm that 𝐝𝐞𝐁𝐫𝐢𝐝𝐠𝐞 — 𝐨𝐧𝐞 𝐨𝐟 𝐭𝐡𝐞 𝐦𝐚𝐣𝐨𝐫 𝐛𝐫𝐢𝐝𝐠𝐞… https://t.co/oVTPbKDMcl
— deAlex (@AlexSmirnov) December 28, 2025
Facing pressure, the Foundation shifted course on Dec. 29 with a remediation plan developed with bridge operators, exchanges, and validators. It abandoned a global rollback and instead focused on isolating and destroying fraudulently minted tokens while preserving legitimate user activity. Dapper Labs said it reviewed and supported the revised approach, stressing no user balances or treasury assets were impacted and its platforms would return as operations resumed. Under the phased restart, accounts flagged by forensics were restricted, validators approved the software upgrade, and the network came back in read-only mode, with 99.9% of accounts unaffected.
