Hi MUD developer,
GM! Thanks for signing up for the MUD newsletter.
Last week, we tidied up some straggling items in the codebase, and began to finalize more of our documentation. The most important thing in the newsletter this week is the patch of a vulnerability that we found, which would allow anyone to claim the Store namespace and add new tables to it. We have patched the vulnerability and recommend you update to the latest version of MUD.
As we’re currently undergoing an audit, we may find more issues in the coming weeks. We’ll be releasing them as they’re discovered. Please don’t hesitate to reach out if you have any questions!
Many thanks,
The MUD team
Onchain
We had out audit kick-off call with Open Zeppelin! The audit should be complete in late November.
We found and patched a critical vulnerability where the store namespace was not registered during the initialization phase: 2023-10-06 Store namespace registration vulnerability
A new SystemSwitch utility makes it easier to upgrade to the latest MUD version (where we removed the ability for the World to call itself via an external call)
Offchain
Plugins and config parsing: We had paused the plugin work a couple months ago to focus on more urgent things like contracts and the indexer. This week we picked it back up and went though a lot of iterations and finally figured out an approach that will (hopefully) support all our requirements.
Emojimon tutorial code is updated to 2.0.0-next.10 and is being documented
The Github snapshot action is unblocked (it was failing because we have too many changesets lined up, so we weren’t getting new snapshot releases for merges into main).
Declarative deployments are almost ready. The CLI will figure out the diff between an existing World and the local MUD config, only upgrade/add the necessary resources