- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

// resources ⟶ disclosures

Halborn Cadence (Flow) Vulnerability Discovery

Introduction

Halborn security researcher Ferran Celades identified a vulnerability in the Secure Cadence update to Cadence during an audit engagement with Dapper Labs. This vulnerability affected how the Flow blockchain managed resources. Halborn has worked with Cadence to deploy an update that addressed the issue.

Description and Overview

Cadence, the Flow blockchain’s programming language, inappropriately allowed destroyed resources to be accessed and used. The update enabled smart contracts to contain references to optional values. When these optional values were used by a program, they were tested to see if they actually contained a value — i.e. were not nil — and were unwrapped to expose that value.

When resources were destroyed, references to that resource were not invalidated, making it possible to continue to access those resources via these references. This issue, similar to a “use after free” vulnerability would inappropriately provide access to the memory allocated to the resource even after that memory might have been allocated to another variable.

pub resource R {
    pub var value: Int
    init(value: Int) {
        self.value = value
    }
    pub fun increment() {
        self.value = self.value + 1
    }
}
pub fun main(): Int {
    let resources <- {
        "r1": <-create R(value: 0)
    }
    let ref: &R? = &resources["r1"] as &R?
    destroy <-resources.remove(key: "r1")
    destroy resources
    ref!.increment()
    log(ref!.value)
    return 1
}

For Smart Contract Developers

Developer Guidance

This vulnerability affects smart contracts that were developed after the Secure Cadence update and that make use of optional values. If a smart contract uses optional values and creates references to them, these references might not be appropriately cleared after a resource is destroyed.

Developer Mitigation

The Cadence interpreter has been updated to address the issue. Upon creation of a reference, the type of the inner value is checked. If the inner value is a resource, it is tracked throughout its lifetime, and, when the resource is destroyed, references to it are invalidated as well.

Have concerns, want to learn more, or have a bug you'd like to disclose? Please reach out to us at disclosures@halborn.com

Halborn is hiring! If you're someone who can help make our products and this industry more secure, consider joining our team.