Issue Overview
- Current Status: Issue Fixed
- Affected Network: Testnet, Mainnet
Summary of Impact
-
A user who is able to send transactions is able to crash the execution node and thus halt the network by attempting to store a non-storable value
-
A user who is able to send transactions is able to remove the restrictions imposed on a reference and thus for example gain access to a fungible token vault even if the user is only granted access to query the balance
Technical Summary of Issues
The store function may be used to store non-storable values
- There are cases where it is possible to attempt storing non-storable values. The value encoder is unable to serialize the value, which leads to an implementation panic
A restricted reference can be statically upcasted to AnyStruct
(valid), and then dynamically downcasted to an unrestricted reference (invalid):
- The dynamic subtype check for references does not consider the references’ borrowed type correctly
Addressing the Issues
Hot Fix
The store function may be used to store non-storable values
- Check the storability dynamically by defining the storability for all interpreter values and using it when writing all stored values
A restricted reference can be statically upcasted to AnyStruct
(valid), and then dynamically downcasted to an unrestricted reference (invalid):
- Include the borrowed type in ephemeral references, just like it already is included in storage references
- Extend the dynamic subtype test of storage references and ephemeral references to consider their borrowed type
Recognition
As core contributors to the Flow ecosystem, we take reported issues very seriously.
We would like to thank the initial reporter Deniz Mert Edincik for finding and reporting these issues responsibly through our Responsible Disclosure Policy.
We would also like to thank Mikey Lemmon for finding the second issue independently and reporting it responsibly, too.
Timeline
2021-04-20
- Issue reported
- Issue investigated
- Minimal reproduction created
- Fixes implemented
2021-04-21
- Fixes tested locally
2021-04-28
- Fixes deployed as part of Testnet and Mainnet spork
2021-05-17
- Public disclosure