Flow Security Incident Review: Type Confusion Vulnerability in Cadence Identified as Key Factor

BlockBeats News, January 7th, Folw released an attack event retrospective report, stating that the attacker exploited a Flow Network vulnerability to mint fake tokens, stealing approximately $3.9 million through a bridging attack. This attack did not access or leak any existing user balances. The attack duplicated assets but did not touch legitimately held assets, with the majority of the fake assets either stored on-chain before liquidation or frozen by exchange partners. Network validators have approved a decentralized governance action authorizing the permanent destruction of all fake assets. The network resumed operation on December 29th, is currently running smoothly, and all transaction history has been preserved.

The attacker sequentially deployed over 40 malicious smart contracts, leveraging a three-stage attack chain: 1) bypassing attachment import verification; 2) circumventing defense checks of built-in types; 3) exploiting a contract initializer semantic vulnerability. The root cause was a type confusion vulnerability in the Cadence runtime (v1.8.8), which has now been patched (v1.8.9 and higher versions). This vulnerability allowed the attacker to disguise protected assets (which should not be duplicable) as standard data structures (which are duplicable), bypassing runtime security checks and enabling token minting.

In addition to moving assets out of Flow, the attacker also attempted to deposit fake FLOW on several centralized exchanges, but due to the abnormal transaction volume and internal anti-money laundering protocols, multiple exchanges froze the deposit upon receipt. Approximately 50% of the fake FLOW deposits have been returned and destroyed by cooperating exchanges (such as OKX, Gate, MEXC), while the foundation continues to actively coordinate with other exchange platforms.