Fixed: Cadence Vulnerabilities 2022-06

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

  1. A critical-impact vulnerability allowed circumventing resource semantics. This could have allowed someone to send a malicious transactions that duplicated resources.
  2. A critical-impact vulnerability allowed the creation of references with an incorrect type. This could have allowed someone to send a malicious transaction which pretends to own values of any type.
  3. A high-impact vulnerability allowed the use of resources after they were destroyed.

Technical Summary of Issues

  1. Contracts are singleton composite values. They are stored in an account, and should never be copied or moved to another account. This was only statically checked and is now also dynamically checked.
  2. Typed capabilities may be upcasted to untyped capabilities. The check and borrow functions were using the incorrect type argument.
  3. Resource destruction was not properly invalidating references to the resource.

Mitigation

The security reports were immediately acknowledged and reproduced. Fixes were developed and deployed to all networks.

In addition, with the release of Secure Cadence to all networks, multiple additional defensive checks for resource tracking have been added.

We are going to add additional defensive checks to prevent future attacks.

Recognition

As core contributors to the Flow ecosystem, we take reported issues very seriously and would like to thank the following individuals for reporting the following issues responsibly through our Responsible Disclosure Policy and are awarded appropriate bounties:

  • Deniz Mert Edincik for finding and reporting the first vulnerability
  • Austin Kline (flowty) for finding and reporting the second vulnerability
  • Halborn for finding and reporting the third vulnerability during their security audit engagement