- Flow resumes Cadence activity as the network starts Phase 1 recovery work.
- The rollback proposal faces strong resistance from bridge and service operators.
- The EVM remains in read-only mode while remediation teams verify the affected accounts.
The Flow network moved into Phase 1 of its recovery on late Monday, reopening its core Cadence environment and restoring nearly all account activity after a chain-halting exploit late last week. The shift marks the first stable point in a tense, multi-day effort to contain the fallout from an attacker who slipped off with an estimated $3.9 million before validators froze the network.
According to reports, Flow resumed exactly where it stopped. No rollback, no reorganization, just a restart from the halted state, which developers stressed was essential to preserve account integrity.
Flow Enters Phase 1 Recovery as Rollback Plan Faces Backlash (Source: X)
With blocks producing again, more than 99.9% of accounts are back online and able to transact normally on Cadence. The EVM side, however, remains locked in read-only mode, a reminder that the network is not yet fully out of the woods.
Cadence Restored, But EVM Still Restricted
In an X post, Flow’s team confirmed that Cadence, the chain’s primary non-EVM environment, is fully operational. Based on the post, transactions are flowing again, and validators are stable. The network is effectively behaving as it did before the December 27 incident, minus the halted EVM layer.
RPC endpoints on the EVM side now present the correct latest state, though the system won’t process transactions until remediation passes a full verification round. A small group of accounts suspected to be exposed during the exploit remains temporarily restricted.
Developers said the limitation is precautionary and tied to ongoing cleanup rather than any new threat. For most users, daily activity on Cadence has already resumed, giving the ecosystem its first clear sign of recovery.
Exploit Forces Emergency Halt After Rapid Asset Drain
The trouble began when an attacker found a weakness in Flow’s execution layer and pushed through a string of unauthorized transfers. By the time validators realized what was happening and halted the chain, about $3.9 million in wrapped tokens and stablecoins had already moved out.
The freeze prevented further loss but triggered an immediate scramble among exchanges, bridge operators, and service providers tied into Flow’s asset pathways. Platforms such as Binance and market-tracking dashboards flagged abnormal flows almost as soon as the incident surfaced.
Within hours, Flow faced urgent decisions about whether the system should roll back to a pre-exploit checkpoint, a move that could erase the attacker’s transactions but carried heavy consequences for anyone who interacted with the chain during the affected period.
Rollback Push Collides With Strong Pushback
However, that proposed rollback landed badly. Nearly every major cross-chain operator responded with concern, but none more bluntly than Alex Smirnov of deBridge. Smirnov said his team learned of the rollback plan only after it had already circulated publicly.
“I woke up to the news about Flow’s decision to roll back the chain… I can confirm that 𝐝𝐞𝐁𝐫𝐢𝐝𝐠𝐞…𝐫𝐞𝐜𝐞𝐢𝐯𝐞𝐝 𝐳𝐞𝐫𝐨 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐨𝐫 𝐜𝐨𝐨𝐫𝐝𝐢𝐧𝐚𝐭𝐢𝐨𝐧 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐅𝐥𝐨𝐰 𝐭𝐞𝐚𝐦, Smirnov noted in an X post.”
Reversing finalized transactions, he argued, would have introduced the risk of duplicated balances and operational disruptions for users who acted in good faith. As a result, the criticism spread quickly.
Several infrastructure teams echoed the same point: a rollback might fix one problem while creating many more, especially for applications that rely on Flow’s state to align with other chains and liquidity systems. What emerged was a clear coordination gap, one that the Flow team later acknowledged as it reassessed the plan.
Revised Roadmap Prioritizes State Integrity
Facing widespread objection, Flow abandoned the rollback idea and committed to a phased restoration approach. According to an official report, phase 2 is now underway, focusing on Cadence remediation and deeper verification work expected to take up to two days.
Phase 3 will bring the EVM layer back online once engineers confirm the environment is clean. Meanwhile, phase 4 will allow bridges and exchanges to resume normal routing, with each operator deciding its timeline.
Similarly, deBridge acknowledged it will reopen trading routes to and from Flow once full EVM functionality is restored and network conditions meet its internal standards.
For now, Phase 1 gives the ecosystem a stable foothold after a turbulent stretch. The network is running, most accounts are active, and users can transact again, while the broader system waits for the remaining layers to catch up.
