PT-2026-60735 · Mpp · Mpp

·

CVE-2026-59694

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v4.0

8.3

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions mpp versions 0.2.0 through 0.5.9
Description Improper validation of input quantity allows an unauthenticated remote client to significantly inflate the gas cost per payment for the fee-payer, reducing the sponsor's operating margin. When the library is configured as a fee payer, the cosign fee payer/3 function re-signs client-supplied base fields of the 0x76 AASigned envelope without validating the length or contents of the EIP-2930 access list. EIP-2930 access list entries incur intrinsic gas costs regardless of whether the addresses are used. A malicious client can submit a transferWithMemo call with numerous fabricated access-list entries, causing the fee-payer wallet to pay a large multiple of the expected gas cost. This can lead to the gradual draining of the fee-payer wallet.
Recommendations Update mpp to version 0.6.0 or later. As a temporary mitigation, set the fee payer configuration to false to disable server-side gas sponsorship.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59694
GHSA-QPXH-FF8M-C62V

Affected Products

Mpp