PT-2026-60734 · Mpp · Mpp
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
mpp versions 0.2.0 through 0.5.9
Description
Improper validation of input quantities allows an unauthenticated remote client to drain the fee-payer wallet, leading to a denial of service for legitimate clients. When the library is configured with
fee payer: true, the MPP.Methods.Tempo payment method co-signs and broadcasts client-supplied EVM transactions without verifying if the gas limit is sufficient. An attacker can submit a transferWithMemo transaction with a gas limit set just below the required amount. The server broadcasts this via rpc broadcast sync, and although the transaction reverts due to running out of gas, the fee-payer wallet is charged for the burned gas. Additionally, the optimistic path where wait for confirmation = false is affected because the simulate payment call function via eth call omits the gas parameter, failing to detect out-of-gas conditions.Recommendations
Update mpp to version 0.6.0 or later.
As a temporary mitigation, set
fee payer to false in the MPP.Methods.Tempo configuration to disable server-side gas sponsorship.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mpp