Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / Cryptopolitan /
Flow Blockchain Bleeds $3.9M: Cadence Runtime Type Confusion Exploit Unpacked

Flow Blockchain Bleeds $3.9M: Cadence Runtime Type Confusion Exploit Unpacked

Author:
Cryptopolitan
Published:
2026-01-07 14:30:52
12
3

Flow blames Cadence runtime type confusion vulnerability for $3.9M exploit

Another day, another smart contract heist—only this time, the culprit isn't a shadowy hacker but a fundamental flaw in the programming language itself.

The Flow blockchain points to a critical vulnerability within its Cadence smart contract runtime. The bug? Type confusion. It’s a classic programming pitfall where the system misidentifies one type of data for another, creating a backdoor for digital asset theft. In this case, that confusion translated directly into a $3.9 million exploit.

How a Simple Bug Becomes a Multi-Million Dollar Drain

The exploit didn't need fancy zero-day tricks. Attackers manipulated the runtime's type system, effectively tricking the blockchain into handing over assets it shouldn't have recognized or released. It’s the digital equivalent of forging a warehouse receipt to walk off with pallets of gold—the guard (the runtime) checks the paperwork, sees it's valid, and waves the thief through.

This bypasses the very security guarantees that smart contracts are supposed to provide, turning a feature designed for safety into a vector for massive loss.

The Inevitable Post-Mortem and the Road Ahead

Flow's team is now in the standard crisis-response loop: patching the vulnerability, tracing the stolen funds (likely already scattered across mixers), and reassuring the community. It’s a stark reminder that in crypto, the cutting edge of innovation is often just inches from the bleeding edge of risk.

For a sector obsessed with 'decentralizing trust,' it’s ironic how often we’re forced to blindly trust that the next line of code won’t vaporize our funds. The $3.9 million question remains: will this lead to stronger audits and formal verification, or just another line item in the growing ledger of 'expensive lessons'? Sometimes, the most bullish thing you can do is demand better plumbing.

Flow identifies type confusion vulnerability as exploit root cause

A type confusion vulnerability was found to be the primary cause by Flow. The vulnerability made it possible for the attacker to evade runtime safety checks by disguising a protected asset as a regular data structure. The attacker coordinated the execution of about 40 malicious smart contracts.

The attack started at block height 137,363,398 on December 26, 2025, at 23:25 PST. Minutes after the first deployment, the production of counterfeit tokens started. The attacker used standard data structures that are replicable to disguise protected assets that ought to be uncopyable. By taking advantage of Cadence’s move-only semantics, this made token counterfeiting possible.

Cadence and a fully EVM-equivalent environment are the two integrated programming environments run by Flow. In this instance, the exploit targeted Cadence.

Network down within six hours of initial malicious transaction

On December 27, at block height 137,390,190, Flow validators started a coordinated network pause at 05:23 PST. All escape routes were cut off, and the halt occurred less than six hours after the initial malicious transaction.

Counterfeit FLOW was being moved to centralized exchange deposit accounts by December 26 at 23:42 PST. Due to their size and irregularity, most of the large FLOW transfers that were sent to exchanges were frozen upon receipt. Beginning at 00:06 PST on December 27, a few assets were bridged off-network using Celer, deBridge, and Stargate.

At 01:30 PST, the first detection signals were raised. At this point, exchange deposits were correlated with anomalous cross-VM FLOW movements. As counterfeit FLOW was liquidated beginning at 1:00 PST, centralized exchanges faced significant sell pressure.

Exchanges return 484 million counterfeit FLOW tokens

According to Flow, the attacker deposited 1.094 billion fake FLOW across several centralized exchanges. Exchange partners Gate.io, MEXC, and OKX returned 484,434,923 FLOW, which was destroyed. 98.7% of the remaining supply of counterfeit goods has been isolated onchain and is in the process of being destroyed. Complete resolution is anticipated in 30 days, and coordination with other exchange partners is still in progress.

After the community evaluated several recovery options, including checkpoint restoration, the recovery strategy was chosen. Flow held ecosystem-wide consultations with infrastructure partners, bridge operators, and exchanges.

Flow’s $3.9 million exploit happened within a similar pattern of security incidents affecting crypto protocols in late December 2025 and early January 2026. BtcTurk suffered a $48 million hot wallet breach on January 1, 2026. Hackers compromised the centralized exchange’s hot wallet infrastructure and siphoned funds across Ethereum, Arbitrum, Polygon and other chains.

Binance experienced a market Maker account manipulation incident on January 1 involving BROCCOLI token.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2026 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.