Update on Path to Stable Cadence - announcing “Secure Cadence” milestone

Update 17 May
Hi All, Secure Cadence bug bounty announcement is out, Help us test Secure Cadence release candidate!

Update 6th May
Hello friends of Flow! I am happy to report “business as usual” before the weekend - we are making great progress on secure Cadence and will be soon ready for kicking off bug bounty - stay tuned!
Security audits are progressing well, one of them likely concluding in about a week. No major findings this week.
In case someone haven’t noticed - please look at the previous update referencing breaking changes coming up - we want you to be ready!

Update 27th April
Hi All, please take a look at this post describing the breaking changes in the upcoming release: Breaking changes coming with Secure Cadence release!.

Update 22nd April
Hello Flow Community!
As you can probably imagine, we have been very busy working on final changes for Secure Cadence. The development team’s efforts are now mostly focused on testing. The audits from NCC Group and Halborn are ongoing and there are no major findings at this time.
One last reminder - as mentioned in earlier posts, the secure cadence release introduces breaking changes and we are expecting required updates for most apps and contracts. We are finalizing the list of the breaking changes and will be posting an update on those changes very soon!

Update 4th April
The implementation of Secure Cadence is wrapping up; and we have now officially kicked off security audits with Halborn and NCC Group.
These audits will continue through the next couple of months and will probe deeply into the Cadence language and the Flow Virtual Machine as part of efforts to harden Cadence security. This is an important step towards permissionless contract deployments - you can find more details with all the milestones in the Permissionless Contract Deployment Progress post!

Over the last few weeks we have been hands down on the Stable Cadence version and we have an update to share.

Our goal has not changed, it still is enabling Mainnet deployments with no barriers. As we were working on the many changes mentioned in the earlier post, we realized that there is a way to achieve this goal faster, with minimal drawbacks.

We have split the overall goal, which we called “Stable Cadence” into 2 milestones.

First milestone, called “Secure Cadence” will focus on the three main steps outlined in the previous post: Code-hardening, Professional code audit and Incentivized stress testing. It will include removal of security “foot-guns”, specifically FLIPs 703 and 739 and some other improvements that have been already completed, like FLIPs 729 and 722.

Second milestone, still named “Stable Cadence”, will focus on the usability improvements which don’t affect security of smart contracts. It will likely introduce breaking changes and deployed smart contracts will need to be updated. The changes may include for example “Streamlined token standards”, “Improved capabilities” and removal of reentrancy “foot-guns”. All the other aspects of Stable Cadence milestone remain as described in the original post.

The benefit of the split into 2 milestones is reduced complexity - with focus on Secure Cadence we will be able to enable the no-barrier deployments of smart contracts on Mainnet sooner.

The drawback is that with more contracts on Mainnet the subsequent deployment of breaking changes for Stable Cadence will have higher risk of breaking existing contracts. We will make sure that there is a way for developers to add contact information so that they can be notified of upcoming changes.

Based on the feedback and anecdotes we heard from the community so far, the benefits of this 2-phase approach clearly outweighs the drawbacks. This being said, we’d like to hear your feedback - our understanding and priorities evolve every day and the FLOW community is at the core of our decision making!

6 Likes