Fixed: Cadence Vulnerability 2021-04-13

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

The vulnerability could have allowed someone to send a malicious transaction that would have allowed them to duplicate resources.

Technical Summary of Issue

  • Function post-conditions may use the special variable result, which is the value that is returned from the function
  • If the function return type is a resource type, the result variable represents a second location for the resource to exist in, which should be invalid
  • This is a language design issue, the interaction of resource semantics and post-conditions was not considered

Addressing the Issue

Hot Fix

When the return type of a function is a resource type, then declare the type of the special variable result to be a reference type.


As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank Deniz Mert Edincik for finding and reporting this issue responsibly through our Responsible Disclosure Policy.



  • Issue reported


  • Issue investigated
  • Minimal reproduction created
  • Fix implemented
  • Analyzed impact on Mainnet contracts
  • Fix tested locally
  • Testnet updated and tested
  • Mainnet update started


  • Mainnet update complete and tested


  • Public disclosure