Implicit trust placed on parameters passed in by callers

Currently, the CosmWasm contract only accepts VAAs from certain whitelisted contracts on Pythnet. A trustless relayer can use signed VAAs from one of these contracts to execute price feed updates or governance instructions. The CosmWasm contract functions on the trust assumption that all data published by the emitter is already validated. The CosmWasm contract itself performs very minimal validation on the VAAs. Therefore, it is possible for the attestation contract to publish messages that could brick the contract in the following way (either due to a compromise or accidentally): Prevent the contract from accepting new price feed updates.

Below, we will dive a little deeper into how a caller may perform the above action, but it is crucial to note that Pyth Network has communicated with us on this issue already. They have stated that the caller is an attestation contract on Pythnet, and that the attestation contract itself enforces that the arguments passed into the CosmWasm contract calls are valid and cannot brick the contract.