Access control in the World contract is based on namespaces. When a new namespace is registered, the caller becomes the owner of the namespace, and has full access to resources (tables, systems, hooks, function selectors, balance) in this namespace.

If a table is registered via the World’s registerTable method, the caller is required to either own the namespace, or the namespace to not exist yet (in which case it is created and the caller becomes the owner).

However, since namespaces are a World concept, if a table is registered directly via the StoreCore library, no namespace is automatically registered for it.

This is what happened in the World’s initialisation phase. The CoreModule registers all internal tables, including those in the store namespace (Store’s internal tables), via direct calls to the internal StoreCore library, and while it manually registered the world and root namespace, it didn’t register the store namespace.

Since the store namespace was not registered after the World’s initialization, anyone could have claimed the store namespace and would have gained access to all Store’s internal tables.

We patched this vulnerability in https://github.com/latticexyz/mud/pull/1712 and released a new version including the fix: 2.0.0-next.11.