PT-2026-60735 · Mpp · Mpp
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
mpp versions 0.2.0 through 0.5.9
Description
Improper validation of input quantity allows an unauthenticated remote client to significantly inflate the gas cost per payment for the fee-payer, reducing the sponsor's operating margin. When the library is configured as a fee payer, the
cosign fee payer/3 function re-signs client-supplied base fields of the 0x76 AASigned envelope without validating the length or contents of the EIP-2930 access list. EIP-2930 access list entries incur intrinsic gas costs regardless of whether the addresses are used. A malicious client can submit a transferWithMemo call with numerous fabricated access-list entries, causing the fee-payer wallet to pay a large multiple of the expected gas cost. This can lead to the gradual draining of the fee-payer wallet.Recommendations
Update mpp to version 0.6.0 or later.
As a temporary mitigation, set the
fee payer configuration to false to disable server-side gas sponsorship.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mpp