Flow’s controversial planned rollback to undo $3.9 million exploit ‘blindsided’ some partners

2025-12-28 18:51:21

The Flow blockchain plans to restart Sunday after validators roll back the network's transaction history to a checkpoint prior to a $3.9 million exploit that occurred late on Friday, but the decision to reverse the ledger without coordinating with key ecosystem partners has triggered a backlash from cross-chain bridge operators.Alex Smirnov, co-founder of deBridge, one of the largest bridge providers supporting Flow, said on X that his team received no advance warning before the rollback was decided upon."The Flow team has decided to roll back the blockchain and claimed to be in a forced sync window with key ecosystem partners," Smirnov wrote. "As one of the main bridge providers for Flow, deBridge has not received any communication or coordination from the Flow team, posing significant risk."In response to written questions from The Block, Smirnov said the Flow team did eventually reach out after his public criticism, but remained committed to the rollback approach. "At the time of that communication, they were still leaning toward proceeding with a rollback," he said. "Our main objective in that discussion was to understand what problem they believe a rollback would solve, given that the attacker had already moved funds off Flow."Rollback or hard fork?Smirnov argued the rollback would punish the wrong people. "From our perspective, a rollback at this stage would not affect the attacker, but would instead impact innocent users, liquidity providers, and ecosystem partners who acted honestly during the rollback window, potentially amplifying the overall damage," he said.The criticism extends beyond bridge operators. Smirnov told The Block that a major centralized exchange where FLOW is traded, which deBridge proactively contacted, "confirmed they were not aware of the planned rollback and had received no prior communication." He declined to name the exchange."This lack of coordination is critical, as it leaves uncertainty around how deposits and withdrawals processed during the rollback window should be handled, potentially exposing the exchange to losses," Smirnov said.deBridge and LayerZero, another major cross-chain protocol, are now aligned in pushing for an alternative approach: a hard fork that fixes the underlying vulnerability and blacklists addresses that received funds from the exploit, rather than reversing the entire ledger, Smirnov said."A targeted hard fork that fixes the vulnerability and confines illicit funds is the only viable option for L1s facing incidents like this," Smirnov said, pointing to how BNB Chain handled a similar incident in the past. "We're aligned with LayerZero that a hard fork addressing the vulnerability—rather than a rollback—is the best path forward."Smirnov said deBridge itself has no financial exposure due to its "0-TVL, non-custodial design," but emphasized the broader ecosystem risk. "The concern is not deBridge's balance sheet, but preventing cascading losses being pushed onto ecosystem partners, liquidity providers and users who had no involvement in the exploit," he said.He added that deBridge is encouraging Flow to establish "a war room that would involve bridges, asset custodians, CEXs, and security groups like Seal911 into collaborative discussion to work out the best path forward.""We are extending the coordination window to account for the various network partners," the Flow Foundation said in an X post on Sunday morning, before Smirnov's initial X post. "Resuming ingestion before all partners are synced could lead to data inconsistencies or service interruptions for users."Flow misses target for update postThe Flow Foundation had pledged to publish another update at 7 a.m. PST, a deadline the team had missed. However, in a follow-up post at about 2 p.m. EST on Sunday, the Foundation said it is carefully evaluating feedback from partners and will be "taking additional time to ensure full alignment and broad support across the network." The Foundation did not respond to multiple requests for comment from The Block. The Flow Foundation confirmed the exploit on December 27, stating that an attacker had exploited a vulnerability in the network's execution layer. Security expert Taylor Monahan told The Block the attacker was able to "mint native token, FLOW, and other bridged tokens like WBTC, WETH, and stablecoins." Onchain analyst Wazz identified the attack pattern as consistent with a private key compromise rather than a smart contract bug.In its recovery announcement, the Flow Foundation said the network would be "restored to a checkpoint prior to the exploit" and that all transactions submitted during the affected window will not be retained and must be resubmitted. The team committed to releasing a technical post-mortem within 72 hours.The FLOW token plunged more than 40% following the initial exploit disclosure, falling from approximately $0.17 to a low of $0.079 before stabilizing around $0.10, according to The Block's Flow Price Page. It is currently trading around $0.11. South Korean exchanges Upbit, Bithumb, and Coinone suspended deposits and withdrawals following the exploit, while the Digital Asset Exchange Alliance issued a formal transaction risk warning.Updated at 2:28 p.m. EST with details of the Flow Foundation's follow-up announcement. Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.