Access control in the World contract is based on namespaces. When a new namespace is registered, the caller becomes the owner of the namespace, and has full access to resources (tables, systems, hooks, function selectors, balance) in this namespace.
If a table is registered via the World’s registerTable
method, the caller is required to either own the namespace, or the namespace to not exist yet (in which case it is created and the caller becomes the owner).
However, since namespaces are a World concept, if a table is registered directly via the StoreCore
library, no namespace is automatically registered for it.
This is what happened in the World’s initialisation phase. The CoreModule
registers all internal tables, including those in the store
namespace (Store’s internal tables), via direct calls to the internal StoreCore
library, and while it manually registered the world
and root
namespace, it didn’t register the store
namespace.
Since the store
namespace was not registered after the World’s initialization, anyone could have claimed the store
namespace and would have gained access to all Store’s internal tables.
We patched this vulnerability in https://github.com/latticexyz/mud/pull/1712 and released a new version including the fix: 2.0.0-next.11
.