Fixed: Cadence Vulnerability 2021-04-20

Security Notifications
1

Issue Overview

  • Current Status: Issue Fixed
  • Affected Network: Testnet, Mainnet

Summary of Impact

  • A user who is able to send transactions is able to crash the execution node and thus halt the network by attempting to store a non-storable value

  • A user who is able to send transactions is able to remove the restrictions imposed on a reference and thus for example gain access to a fungible token vault even if the user is only granted access to query the balance

Technical Summary of Issues

The store function may be used to store non-storable values

  • There are cases where it is possible to attempt storing non-storable values. The value encoder is unable to serialize the value, which leads to an implementation panic

A restricted reference can be statically upcasted to AnyStruct (valid), and then dynamically downcasted to an unrestricted reference (invalid):

  • The dynamic subtype check for references does not consider the references’ borrowed type correctly

Addressing the Issues

Hot Fix

The store function may be used to store non-storable values

  • Check the storability dynamically by defining the storability for all interpreter values and using it when writing all stored values

A restricted reference can be statically upcasted to AnyStruct (valid), and then dynamically downcasted to an unrestricted reference (invalid):

  • Include the borrowed type in ephemeral references, just like it already is included in storage references
  • Extend the dynamic subtype test of storage references and ephemeral references to consider their borrowed type

Recognition

As core contributors to the Flow ecosystem, we take reported issues very seriously.

We would like to thank the initial reporter Deniz Mert Edincik for finding and reporting these issues responsibly through our Responsible Disclosure Policy.
We would also like to thank Mikey Lemmon for finding the second issue independently and reporting it responsibly, too.

Timeline

2021-04-20

  • Issue reported
  • Issue investigated
  • Minimal reproduction created
  • Fixes implemented

2021-04-21

  • Fixes tested locally

2021-04-28

  • Fixes deployed as part of Testnet and Mainnet spork

2021-05-17

  • Public disclosure