[Critical security vulnerability] Account ownership not validated in Solana target

[ivypowered]

Hello!

First of all I want to say that this is a really great project. What you've put together here with Solidity is so much simpler, nicer, and easier to work with than the Anchor framework for developing programs and I'm immensely grateful for all the work you've put in.

Unfortunately, there is a critical security vulnerability in the Solang compiler that enables an attacker to craft arbitrary state variables and pass them to the program, which are then deserialized and acted upon as if they were legitimate.

This has far-reaching implications for all Solana programs generated with Solang, which can no longer trust the contents of their account variables.

I've put together a quick demonstration in this repository: https://github.com/ivypowered/solang-owner-not-validated

Thank you and have a great day!