Fixed: Cadence Vulnerability 2021-07-14

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

Three critical vulnerabilities allowed circumventing resource semantics. This could have allowed someone to send a malicious transactions that create or duplicate resources, or access private functionality or data of values.

Technical Summary of Issues

  • Resource constructors could be casted to function types, allowing malicious resource creation
  • Type confusion caused by container covariance and references, allowing access to private functionality
  • The assignment of a potential second value in an optional-binding was not executed, allowing resources to appear duplicated


As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank Deniz Mert Edincik for finding and reporting the first two issues responsibly through our Responsible Disclosure Policy.