Fixed: Cadence Vulnerabilities 2023-07-10

Cadence Security Report 2023-07-06

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

Four issues were found with different impact levels:

  1. A critical-impact vulnerability that would have allowed someone to duplicate resources.
  2. A critical-impact vulnerability allowed crashing the execution node and thus halting the network.
  3. A low-impact vulnerability that would lead to resources being lost.
  4. An issue that rejected valid programs.

Technical Summary of Issues

  1. Taking a reference to an optional must return an optional reference. However, this was not the case for AnyStruct/ AnyResource optionals, allowing them to be misused. Thus, the following two cases are now rejected by the Cadence type checker:
  • Taking a reference of an optional as a non-optional

      var optionalValue: @AnyResource? = ...
      var ref = &optionalValue as &AnyResource  // This is now rejected

    Instead, need to take an optional reference:

      var optionalValue: @AnyResource? = ...
      var ref = &optionalValue as &AnyResource?
      And then handle the optional reference.
  • Taking a reference of a non-optional as an optional

      var value: @AnyResource = ...
      var ref = &value as &AnyResource?  // This is now rejected

    Instead, need to take a non-optional reference:

      var value: @AnyResource = ...
      var ref = &value as &AnyResource
  1. During the transfer of resources, it was possible to get stuck in a recursive transfer, causing the execution node to be crashed/halted.
  2. Functions with var-args allowed passing more arguments than the actual number of arguments that are expected by the function implementation, which could lead to a loss of resources. Passing such invalid additional arguments is now statically rejected.
    For example, the built-in assert function is accepting var-args, and any invalid use of this function may be impacted by this change. The assert function would only accept a maximum of two arguments: a condition and a message.
  3. Inlined functions (function closures) could result in reporting errors for valid programs.


The security reports were immediately acknowledged and reproduced. Fixes were developed and deployed to all networks. Improved the runtime defensive check to prevent misuse of references.

In the future, the Cadence team plans to add additional defensive checks to prevent resources from being duplicated or re-destroyed.


As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank BlueSign for reporting the issues responsibly through our Responsible Disclosure Policy 1.