ChainCatcher reports that the Flow Foundation has issued an official update stating that an attacker exploited a vulnerability in the Flow execution layer, transferring approximately $3.9 million in assets off-chain before the coordinated shutdown of validators. The Foundation emphasized that the incident did not affect any existing user balances, and all user deposits remain intact.
The outflowed funds were primarily transferred via cross-chain bridges. The attacker’s address has been identified and flagged, with related money laundering paths being tracked in real-time, and freeze requests have been submitted to Circle, Tether, and major exchanges. The Foundation stated that the network has been isolated, and a vulnerability fix has been released and is in the verification and deployment phase.
To remove unauthorized transactions, the network will roll back to a checkpoint prior to the attack. Legitimate transactions submitted during this period will need to be resubmitted after the restart. Based on feedback from validators and ecosystem partners, the Foundation has decided to extend the coordination time to ensure network-wide consensus and long-term security, and will not rush the restart before sufficient consultation is completed. User funds remain secure throughout the process, and updates will continue to be released according to the established schedule.
Previous news: deBridge co-founder warned that a hasty rollback by Flow could trigger greater systemic risks.
