PT-2026-60736 · Mpp · Mpp
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
mpp versions 0.2.0 through 0.5.9
Description
Improper validation of input quantities allows an unauthenticated remote client to drain the fee-payer wallet in a single request by specifying an arbitrarily high gas price. When the library is configured as a fee payer, the
cosign fee payer/3 function re-signs client-supplied base fields of the 0x76 AASigned envelope without validating that max fee per gas and max priority fee per gas are within reasonable bounds. A malicious client can embed excessively large values for these variables, causing the server to pay inflated per-gas rates from its own wallet. This can result in the complete depletion of the wallet, preventing the server from sponsoring gas for legitimate requests. This issue is only reachable when the MPP.Methods.Tempo method is configured with fee payer: true.Recommendations
Update mpp to version 0.6.0 or later.
As a temporary mitigation, set the
fee payer configuration to false to disable server-side gas sponsorship.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mpp