Skip to main content

ZenHive mpp EUVDEUVD-2026-45159

| CVE-2026-59694 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-07-17 EEF GHSA-r4hx-mhrp-xf73
8.3
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network access to a fee-payer deployment (PR:N, AV:N, AC:L); no confidentiality or data-integrity impact; sustained gas/wallet drain is a resource-exhaustion availability impact (A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 10:47 vuln.today
Analysis Generated
Jul 17, 2026 - 10:47 vuln.today
CVE Published
Jul 17, 2026 - 10:11 cve.org
HIGH 8.3

DescriptionCVE.org

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin.

When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. EIP-2930 access list entries incur intrinsic gas (~2,400 gas per address, plus 1,900 gas per storage key) charged before any opcode executes, regardless of whether the listed addresses are ever touched. A malicious client submits a valid transferWithMemo call alongside a large number of fabricated access-list entries. The server co-signs and broadcasts the transaction. The intended transfer executes normally, but the fee-payer wallet pays a large multiple of the expected gas cost with no corresponding on-chain work.

At the maintainer's default of 137 access-list entries (fitting within Bandit's 10,000-byte per-header-field limit) and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier. Sustained abuse destroys the sponsor's operating margin on low-cost payments and, over time, drains the fee-payer wallet.

This issue affects mpp: from 0.2.0 before 0.6.0.

AnalysisAI

Economic resource exhaustion in the ZenHive mpp Elixir library (versions 0.2.0 through 0.5.x) lets an unauthenticated remote client inflate a sponsoring fee-payer's gas cost per payment by roughly 7.4x, draining the sponsor wallet over sustained abuse. When deployed with fee_payer: true, MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim - including an oversized EIP-2930 access list - without validating length or contents, so intrinsic gas is charged for fabricated entries that touch nothing on-chain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect as unauthenticated remote client
Delivery
Craft valid transferWithMemo with 137 padded access-list entries
Exploit
Server co-signs 0x76 envelope verbatim
Execution
Broadcast inflated transaction on-chain
Persist
Fee-payer wallet pays 7.4x gas
Impact
Sustained abuse drains sponsor wallet

Vulnerability AssessmentAI

Exploitation Exploitation requires the mpp server to be deployed as fee payer (fee_payer: true), invoking MPP.Tempo.Transaction.cosign_fee_payer/3 to sponsor gas for Tempo transactions on affected versions 0.2.0 through 0.5.x. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a credible but bounded financial-abuse risk rather than a system-compromise flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A server operator runs mpp as a fee payer to sponsor gas for user payments. A malicious client submits a legitimate transferWithMemo call but pads the EIP-2930 access list with 137 fabricated address entries; the server co-signs and broadcasts it, and the transfer succeeds while the fee-payer wallet pays about 380,087 gas instead of ~51,287 (7.4x) at 100 Gwei. …
Remediation Upgrade to mpp 0.6.0, which is the vendor-released patch (commit 5d6338e2334084c5f2a78cfcca474830733ed7e8) that adds MPP.Methods.Tempo.FeePayerPolicy to validate the client-signed 0x76 envelope's gas economics before co-signing - bounding gas_limit, max_fee_per_gas, max_priority_fee_per_gas, and the total-fee budget, and rejecting non-empty access lists; the fix is safe-by-default so existing fee_payer: true deployments are protected without config changes, and it also closes the related unbounded-fee vector GHSA-vv77-66rf-pm86. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all systems running ZenHive mpp Elixir library versions 0.2.0 through 0.5.x to identify instances with fee_payer enabled, implement granular monitoring for transaction gas cost anomalies, and establish alerts for cost inflation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy