Issue Overview
- Current Status: Issue Fixed
- Affected Network: Testnet, Mainnet
Summary of Impact
An attacker may gain unauthorized access to more functionality than granted:
An attacker can borrow a private capability, even when it was not shared with them.
Technical Summary of Issues
- Values sent as arguments to transactions and scripts are checked for their importability: Some values may not be imported.
For example, public capability values can be imported, while private capability values cannot be imported. - Importability should be checked on the value level.
For example, theCapabilitytype on its own is importable, but a concrete capability value’s importability depends on its path. -
BUG: A composite value (struct, resource, etc.) was determined to be importable if the type is importable. For example, a resource is not importable, but a struct is.
However, the importability check did not properly validate the composite value’s field values - Other containers, like arrays, dictionaries, and optional values, already determined importability by ensuring all child elements are importable
Mitigation
The security reports were immediately acknowledged and reproduced. Fixes were developed and deployed to all networks. Added check of importability of composite field values, not just type.
Recognition
As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank Austin from flowty.io team for reporting the issues responsibly through our Responsible Disclosure Policy.
