Fixed: Cadence Vulnerability 2021-04-13

DrewGarrison · May 14, 2021, 8:56pm

Issue Overview

Current Status: Issue Fixed
Affected Network: Testnet, Mainnet

Summary of Impact

The vulnerability could have allowed someone to send a malicious transaction that would have allowed them to duplicate resources.

Technical Summary of Issue

Function post-conditions may use the special variable result, which is the value that is returned from the function
If the function return type is a resource type, the result variable represents a second location for the resource to exist in, which should be invalid
This is a language design issue, the interaction of resource semantics and post-conditions was not considered

Addressing the Issue

Hot Fix

When the return type of a function is a resource type, then declare the type of the special variable result to be a reference type.

Recognition

As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank Deniz Mert Edincik for finding and reporting this issue responsibly through our Responsible Disclosure Policy.

Timeline

2021-04-13

Issue reported

2021-04-15

Issue investigated
Minimal reproduction created
Fix implemented
Analyzed impact on Mainnet contracts
Fix tested locally
Testnet updated and tested
Mainnet update started

2021-04-16

Mainnet update complete and tested

2021-05-14

Public disclosure

Topic		Replies	Views
Fixed: Cadence Vulnerability 2021-07-14 Security Notifications	0	592	July 22, 2021
Fixed: Cadence Vulnerabilities 2022-06 Security Notifications	0	529	June 22, 2022
Fixed: Cadence Vulnerabilities 2023-07-10 Security Notifications	1	336	July 18, 2023
Fixed: Cadence Vulnerability 2021-03-24 Security Notifications	0	719	April 7, 2021
Fixed: Cadence Vulnerability 2024-08-30 (default functions) Security Notifications	0	66	October 1, 2024