Get rid of the unsafe get_mut function in the rust cdk

Roman mentions this in the community-conversation, this is an unsafe api, two get_mut calls within the same public-method can corrupt the memory.


thread_local! With the Cell and RefCell is the way to go.

3 Likes

There are several examples that are using the unsafe approach. The cycles wallet too.

1 Like

FYI @roman-kashitsyn

I couldn’t find the video but I did find this blog post:

https://mmapped.blog/posts/01-effective-rust-canisters.html

  1. IS20 fixes two other vulnerabilities found in prior implementations of token standards. There is a bug in the commonly used ic_cdk storage that can lead to memory corruption through dangling references. Please see the appendix for more details.

Linked bug: Heap corruption in storage · Issue #73 · dfinity/cdk-rs · GitHub

Infinity Swap Impl: ic-helpers/lib.rs at main · infinity-swap/ic-helpers · GitHub

thread_local! {
    static store: Rc<RefCell<#ident>> = Rc::new(RefCell::new(#ident::default()));
}

Example usage in their IS20 token: