Issue Overview
- Current Status: Issue Fixed
- Affected Network: Testnet, Mainnet
Summary of Impact
A critical-impact vulnerability that would have allowed someone to duplicate resources.
Technical Summary of Issue
In general, Cadence prevents nested resource moves. For example, an assignment that ends in <- resources[0], where resources is an array of resources, is invalid, as the RHS would implicitly have to remove the nested element from the array.
The Cadence type checker must detect all such cases and report them as errors.
However, the type checker failed to do so in the very particular case of a nil-coalescing expression where the LHS is nil, and the RHS is a nested resource move, e.g. nil ?? resources[0].
The type checker incorrectly returned early in the case where the LHS is nil, causing the error for the invalid RHS to get omitted.
Mitigation
The security report was immediately acknowledged and reproduced. A fix was developed and deployed to all networks.
Recognition
As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank @bluesign for reporting the following issue responsibly through our Responsible Disclosure Policy .