Fixed: Cadence Vulnerabilities 2023-09-16

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

An attacker may gain unauthorized access to more functionality than granted:
An attacker can borrow a private capability, even when it was not shared with them.

Technical Summary of Issues

  • Values sent as arguments to transactions and scripts are checked for their importability: Some values may not be imported.
    For example, public capability values can be imported, while private capability values cannot be imported.
  • Importability should be checked on the value level.
    For example, the Capability type on its own is importable, but a concrete capability value’s importability depends on its path.
  • BUG: A composite value (struct, resource, etc.) was determined to be importable if the type is importable. For example, a resource is not importable, but a struct is.
    However, the importability check did not properly validate the composite value’s field values
  • Other containers, like arrays, dictionaries, and optional values, already determined importability by ensuring all child elements are importable

Mitigation

The security reports were immediately acknowledged and reproduced. Fixes were developed and deployed to all networks. Added check of importability of composite field values, not just type.

Recognition

As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank Austin from flowty.io team for reporting the issues responsibly through our Responsible Disclosure Policy.

4 Likes

Good find @austin

3 Likes

Awesome find @austin :mage:

1 Like

great work @austin

1 Like

Thank you @austin and team

1 Like

Congrats on the great find @austin !!!

1 Like