Cadence Security Report 2023-07-06
Issue Overview
- Current Status: Issue Fixed
- Affected Network: Testnet, Mainnet
Summary of Impact
Four issues were found with different impact levels:
- A critical-impact vulnerability that would have allowed someone to duplicate resources.
- A critical-impact vulnerability allowed crashing the execution node and thus halting the network.
- A low-impact vulnerability that would lead to resources being lost.
- An issue that rejected valid programs.
Technical Summary of Issues
- Taking a reference to an optional must return an optional reference. However, this was not the case for
AnyStruct/AnyResourceoptionals, allowing them to be misused. Thus, the following two cases are now rejected by the Cadence type checker:
-
Taking a reference of an optional as a non-optional
var optionalValue: @AnyResource? = ... var ref = &optionalValue as &AnyResource // This is now rejectedInstead, need to take an optional reference:
var optionalValue: @AnyResource? = ... var ref = &optionalValue as &AnyResource? And then handle the optional reference. -
Taking a reference of a non-optional as an optional
var value: @AnyResource = ... var ref = &value as &AnyResource? // This is now rejectedInstead, need to take a non-optional reference:
var value: @AnyResource = ... var ref = &value as &AnyResource
- During the transfer of resources, it was possible to get stuck in a recursive transfer, causing the execution node to be crashed/halted.
- Functions with var-args allowed passing more arguments than the actual number of arguments that are expected by the function implementation, which could lead to a loss of resources. Passing such invalid additional arguments is now statically rejected.
For example, the built-inassertfunction is accepting var-args, and any invalid use of this function may be impacted by this change. The assert function would only accept a maximum of two arguments: aconditionand amessage. - Inlined functions (function closures) could result in reporting errors for valid programs.
Mitigation
The security reports were immediately acknowledged and reproduced. Fixes were developed and deployed to all networks. Improved the runtime defensive check to prevent misuse of references.
In the future, the Cadence team plans to add additional defensive checks to prevent resources from being duplicated or re-destroyed.
Recognition
As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank BlueSign for reporting the issues responsibly through our Responsible Disclosure Policy 1.