// resources ⟶ disclosures
Halborn Cadence (Flow) Vulnerability Discovery
Halborn security researcher Ferran Celades identified a vulnerability in the Secure Cadence update to Cadence during an audit engagement with Dapper Labs. This vulnerability affected how the Flow blockchain managed resources. Halborn has worked with Cadence to deploy an update that addressed the issue.
Cadence, the Flow blockchain’s programming language, inappropriately allowed destroyed resources to be accessed and used. The update enabled smart contracts to contain references to optional values. When these optional values were used by a program, they were tested to see if they actually contained a value — i.e. were not nil — and were unwrapped to expose that value.
When resources were destroyed, references to that resource were not invalidated, making it possible to continue to access those resources via these references. This issue, similar to a “use after free” vulnerability would inappropriately provide access to the memory allocated to the resource even after that memory might have been allocated to another variable.
pub resource R {
pub var value: Int
init(value: Int) {
self.value = value
}
pub fun increment() {
self.value = self.value + 1
}
}
pub fun main(): Int {
let resources <- {
"r1": <-create R(value: 0)
}
let ref: &R? = &resources["r1"] as &R?
destroy <-resources.remove(key: "r1")
destroy resources
ref!.increment()
log(ref!.value)
return 1
}Developer Guidance
This vulnerability affects smart contracts that were developed after the Secure Cadence update and that make use of optional values. If a smart contract uses optional values and creates references to them, these references might not be appropriately cleared after a resource is destroyed.
Developer Mitigation
The Cadence interpreter has been updated to address the issue. Upon creation of a reference, the type of the inner value is checked. If the inner value is a resource, it is tracked throughout its lifetime, and, when the resource is destroyed, references to it are invalidated as well.
Have concerns, want to learn more, or have a bug you'd like to disclose? Please reach out to us at disclosures@halborn.com
Halborn is hiring! If you're someone who can help make our products and this industry more secure, consider joining our team.
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services. You consent to our cookies if you continue to use our website. Learn More.