CVE-2026-59252: CWE-1284 Improper Validation of Specified Quantity in Input in ZenHive mpp
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests. The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions. This issue affects mpp: from 0.2.0 before 0.6.0.
AI Analysis
Technical Summary
The vulnerability arises because the MPP.Methods.Tempo payment method co-signs and broadcasts client-supplied EVM transactions without validating that the gas_limit is sufficient for successful execution. Attackers can submit signed transferWithMemo transactions with gas_limit set just below the required amount, causing the transaction to revert during execution but still consuming gas fees from the fee-payer wallet. Additionally, the optimistic path (wait_for_confirmation = false) uses eth_call simulation that omits the gas parameter, failing to detect out-of-gas conditions. This flaw allows unauthenticated remote clients to drain the fee-payer wallet at near-zero cost, resulting in denial of service for legitimate users. The issue affects mpp versions from 0.2.0 before 0.6.0.
Potential Impact
An attacker can cause the fee-payer wallet to be drained by repeatedly submitting transactions with insufficient gas limits that revert but still consume gas fees. This results in denial of service for legitimate clients who rely on the fee-payer wallet to sponsor gas fees for their transactions. The attacker incurs minimal cost while depleting the wallet, potentially disrupting normal service operation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid configuring the mpp Elixir library as fee payer or implement additional validation of gas_limit before broadcasting transactions. Monitoring transaction gas usage and limiting fee-payer wallet exposure may help reduce risk.
CVE-2026-59252: CWE-1284 Improper Validation of Specified Quantity in Input in ZenHive mpp
Description
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests. The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions. This issue affects mpp: from 0.2.0 before 0.6.0.
CVSS v4.0
Score 8.2high
Affected software
cpe:2.3:a:ZenHive:mpp:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the MPP.Methods.Tempo payment method co-signs and broadcasts client-supplied EVM transactions without validating that the gas_limit is sufficient for successful execution. Attackers can submit signed transferWithMemo transactions with gas_limit set just below the required amount, causing the transaction to revert during execution but still consuming gas fees from the fee-payer wallet. Additionally, the optimistic path (wait_for_confirmation = false) uses eth_call simulation that omits the gas parameter, failing to detect out-of-gas conditions. This flaw allows unauthenticated remote clients to drain the fee-payer wallet at near-zero cost, resulting in denial of service for legitimate users. The issue affects mpp versions from 0.2.0 before 0.6.0.
Potential Impact
An attacker can cause the fee-payer wallet to be drained by repeatedly submitting transactions with insufficient gas limits that revert but still consume gas fees. This results in denial of service for legitimate clients who rely on the fee-payer wallet to sponsor gas fees for their transactions. The attacker incurs minimal cost while depleting the wallet, potentially disrupting normal service operation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid configuring the mpp Elixir library as fee payer or implement additional validation of gas_limit before broadcasting transactions. Monitoring transaction gas usage and limiting fee-payer wallet exposure may help reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-07-04T04:24:03.653Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b400c34329bf928c6fbc1
Added to database: 07/18/2026, 08:57:48 UTC
Last enriched: 07/18/2026, 09:35:30 UTC
Last updated: 07/18/2026, 11:08:17 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.