CVE-2026-59694 in mppinfo

Summary

by MITRE • 07/17/2026

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin.

When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. EIP-2930 access list entries incur intrinsic gas (~2,400 gas per address, plus 1,900 gas per storage key) charged before any opcode executes, regardless of whether the listed addresses are ever touched. A malicious client submits a valid transferWithMemo call alongside a large number of fabricated access-list entries. The server co-signs and broadcasts the transaction. The intended transfer executes normally, but the fee-payer wallet pays a large multiple of the expected gas cost with no corresponding on-chain work.

At the maintainer's default of 137 access-list entries (fitting within Bandit's 10,000-byte per-header-field limit) and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier. Sustained abuse destroys the sponsor's operating margin on low-cost payments and, over time, drains the fee-payer wallet.

This issue affects mpp: from 0.2.0 before 0.6.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability described represents a critical flaw in the ZenHive mpp library's transaction handling mechanism that exploits improper input validation within the EIP-2930 access list processing. This weakness allows malicious actors to manipulate gas cost calculations without affecting the actual transaction execution, creating a significant financial attack vector. The vulnerability specifically targets systems where the mpp library operates in fee payer mode, making it particularly dangerous for service providers who sponsor gas costs for their users.

The technical implementation flaw occurs within the MPP.Tempo.Transaction.cosign_fee_payer/3 function which processes client-supplied transaction data without proper validation of the EIP-2930 access list contents. This function blindly re-signs the entire 0x76 AASigned envelope including the access list entries, treating them as legitimate without verifying their length or content validity. The underlying issue stems from CWE-20: Improper Input Validation, where the system fails to validate that input parameters fall within expected ranges and constraints. The access list entries in EIP-2930 transactions incur intrinsic gas costs regardless of whether the addresses or storage keys are actually accessed during execution, creating a direct correlation between the number of entries and total gas consumption.

This vulnerability directly impacts operational security by enabling what attackers can term "gas inflation attacks" where computational resources are consumed without corresponding value creation. The attack vector operates through the manipulation of transaction parameters that are processed but not validated, allowing an unauthenticated remote client to cause significant financial harm to the fee payer. According to ATT&CK framework technique T1496, this represents a resource exhaustion attack that specifically targets operational costs rather than system availability. The mathematical impact demonstrates a 7.4x increase in gas consumption from approximately 51,287 to 380,087 gas per payment, which translates directly into reduced profitability for service providers.

The financial implications extend beyond single transactions to create sustained operational damage that can drain fee-payer wallets over time, particularly affecting low-cost payment scenarios where margin requirements are already tight. This vulnerability affects all versions of the mpp library from 0.2.0 through 0.5.x, representing a prolonged window of exposure for affected systems. The attack's effectiveness stems from the default configuration parameters where 137 access-list entries are sufficient to trigger the maximum gas cost multiplier while remaining within standard network limits that would not raise immediate suspicion.

Mitigation strategies should focus on implementing strict validation of access list parameters including length checks, content validation, and rate limiting mechanisms. System administrators must configure proper input sanitization at the transaction processing layer to prevent unvalidated data from being processed in fee payer mode. Additionally, monitoring systems should track gas cost anomalies and implement automated alerts for transactions showing unusual gas consumption patterns. The fix requires updating the cosign_fee_payer function to validate access list entries before re-signing and potentially implementing maximum limits on access list size to prevent exploitation while maintaining system functionality.

This vulnerability exemplifies how seemingly minor input validation gaps can create substantial financial attack surfaces in blockchain transaction processing systems. The flaw demonstrates the importance of comprehensive security reviews that consider not just code execution paths but also the economic implications of improper parameter handling. Organizations using similar libraries should conduct immediate security assessments to identify and remediate comparable vulnerabilities in their transaction processing pipelines, particularly those operating in fee payer roles where financial exposure is significant.

Responsible

EEF

Reservation

07/06/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!