The Capabilites implementation in CosmWasm contracts was found to have a vulnerability. Even if the executing chain did not allow a specific capability, a CosmWasm contract could still execute actions that required that capability. This was due to a naive implementation of capabilities and misleading documentation in CosmWasm. The vulnerability allowed an attacker to deploy a CosmWasm contract and execute any action on the chain, regardless of the chain's declared…Read More