Flow published a post-incident report on January 6, 2026, discussing the root cause of its $3.9 million exploit. An attacker exploited a Cadence runtime type confusion vulnerability to forge tokens.