CVE-2026-59695 in mpp
Summary
by MITRE • 07/17/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet in a single request by naming an arbitrarily high gas price.
When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. A malicious client embeds arbitrarily large values for these fields in the signed envelope. The server co-signs and broadcasts the transaction. The effective_gas_price billed against the fee-payer wallet is derived from the attacker-supplied ceilings, so the server pays those inflated per-gas rates out of its own wallet. A single crafted request can drain the wallet entirely, after which the server can no longer sponsor gas for legitimate payment requests.
This issue affects mpp: from 0.2.0 before 0.6.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described represents a critical financial security flaw in the ZenHive mpp library that enables unauthorized depletion of fee-payer wallets through improper input validation. This issue specifically impacts systems where the mpp Elixir library operates as a fee payer, creating a scenario where malicious actors can exploit trust-based transaction processing to drain computational resources from legitimate service providers. The vulnerability stems from inadequate validation mechanisms within the MPP.Tempo.Transaction.cosign_fee_payer/3 function that handles Ethereum transaction signing operations.
The technical implementation flaw occurs when the system accepts and processes client-supplied transaction parameters without proper bounds checking on gas pricing fields. Specifically, the max_fee_per_gas and max_priority_fee_per_gas values are copied verbatim from client-signed 0x76 AASigned envelopes without validation against reasonable market parameters. This allows attackers to embed arbitrarily high gas prices that can exceed the fee-payer wallet balance in a single transaction request. The vulnerability demonstrates poor input sanitization practices that violate fundamental security principles for transaction processing systems.
From an operational impact perspective, this vulnerability enables a single malicious request to completely deplete a fee-payer wallet, rendering the system incapable of processing legitimate transactions that require gas sponsorship. The financial implications are severe as the server operator bears the cost of inflated gas fees that can accumulate rapidly with minimal client effort. This represents a complete loss of service availability for the affected system and creates significant financial exposure for operators who rely on fee-payer functionality.
The security implications extend beyond simple financial loss to include system availability and trust degradation. Attackers can exploit this vulnerability without authentication requirements, making it particularly dangerous as any remote client can initiate the attack. The issue affects versions from 0.2.0 through 0.5.x of the mpp library, indicating a prolonged period where systems were vulnerable to this class of attack. This vulnerability aligns with CWE-20, which addresses improper input validation, and maps to ATT&CK technique T1499.004 for unauthorized resource consumption. The lack of bounds checking on critical financial parameters creates an exploitable condition that directly violates secure coding practices for transaction processing systems.
Mitigation strategies should focus on implementing strict validation of gas pricing parameters before accepting client-signed transactions, establishing reasonable upper bounds for max_fee_per_gas and max_priority_fee_per_gas values, and incorporating rate limiting mechanisms to prevent rapid depletion of fee-payer balances. System operators should also implement monitoring for unusual gas pricing patterns and consider implementing transaction replay protection measures. The fix requires updating the cosign_fee_payer function to validate gas price parameters against current market rates and minimum/maximum acceptable thresholds, ensuring that fee-payer wallets cannot be drained through malicious input manipulation.