feat: tests, grpc server

[faddat]

Avoid ffi by making a contract rpc but also add tons of new tests, including tests that it was previously impossible to write because we've now got a .proto definition for a contract virtual machine, and from there we can actually see where issues are.

So it's also in some way a security disclosure.

Reported by me to Mag and Barry of Interchain Labs in October 2024. Back then I was under the impression that things like this were going to get fixed silently -- as they should be. Unfortunately, I was wrong in my impression that security items would get fixed in a clear and timely manner, and full disclosure is better than partial disclosure, so here it is.

Claude got a little carried away with emojis in the readme, but I am just as confident as claude is that there are some serious oopsies here, mainly of the "you put invalid data in field, chain die now" variety, but possibly others. As I explained repeatedly to Mag and Barry, it's a broad set of issues with varying impacts here, because wasmvm is very loose. If wasmvm were tightened, and made testable, then Cosmos would have a safe, secure, modern smart contract platform. The CW language is really pretty good.

So there's stuff that you can do that should be impossible for you to do, and the result of you doing that stuff on mainnets is unknown, but I reckon that they'd just crash and not come back up easy.

To be clear, the only reason this is being reported in public is that reporting it in private repeatedly failed due to the issue having actual complexity, and no one having time / desire to deal with difficult/complex issues.

In short, wasmvm fails to validate many seemingly consequential items:

• Addresses
• Checksums
• Sizes
• Gas (it doesn't get checked much)

The service definition adds a layer of validation before anything can reach the virtual machine, and aids in making problem areas show clearly.