MPPX Payment Bypass and Griefing Vulnerabilities
Multiple vulnerabilities in the `mppx` npm package (versions prior to 0.4.8) allow for payment bypass, transaction replay attacks, fee manipulation, signature bypass, and channel griefing, potentially leading to financial loss and service disruption.
The mppx npm package, a payment processing library, contains several critical vulnerabilities that could be exploited to bypass payment requirements, manipulate transaction fees, and disrupt payment channels. These vulnerabilities affect versions prior to 0.4.8, and arise from insufficient validation of transaction hashes, missing transfer log verification, cross-route scope confusion, and weaknesses in channel ID binding. Successful exploitation could allow attackers to perform free transactions, force others to pay their fees, or render payment channels unusable, leading to significant financial losses and reputational damage for applications relying on the vulnerable library.
Attack Chain
- Initial Access: An attacker identifies a vulnerable application using a version of the
mppxnpm package prior to 0.4.8. - Transaction Replay: The attacker replays
tempo/chargetransaction hashes across push/pull modes or charge/session endpoints to duplicate payments or bypass charges. - Free Requests (Pull Mode): The attacker performs free
tempo/chargerequests by exploiting missing transfer log verification in pull mode. - Fee Manipulation: The attacker manipulates the fee payer of a
tempo/chargehandler into paying for their requests by exploiting the missing sender signature check. - Voucher Bypass: The attacker bypasses
tempo/sessionvoucher signature verification to gain unauthorized access. - Channel Hijacking: The attacker piggybacks off existing
tempo/sessionchannels by reusing settle vouchers and exploiting weak channel ID binding. - Griefing: The attacker griefs
tempo/sessionchannels via force-close detection bypass by exploiting the fact thatcloseRequestedAtis not persisted. - Impact: The attacker successfully bypasses payment, manipulates fees, or disrupts payment channels, resulting in financial loss and service disruption for the targeted application.
Impact
Successful exploitation of these vulnerabilities could lead to significant financial losses for applications using the vulnerable versions of the mppx package. Attackers can perform free transactions at the expense of legitimate users or the service provider. Moreover, attackers can grief payment channels, rendering them unusable and disrupting services that rely on them. The number of affected applications is unknown, but any application utilizing mppx prior to version 0.4.8 is potentially vulnerable.
Recommendation
- Upgrade the
mppxnpm package to version 0.4.8 or later to patch the vulnerabilities (reference: Patches section). - Implement robust input validation and integrity checks for all transaction-related data, especially when using
tempo/chargeandtempo/session(reference: Overview). - Monitor network traffic for unusual patterns indicative of transaction replay attacks or attempts to bypass payment mechanisms.
- Deploy the Sigma rule to detect potential exploitation attempts related to free requests.
Detection coverage 2
Detect Free Tempo/Charge Requests (Pull Mode)
highDetects potential exploitation of the 'tempo/charge' endpoint in pull mode, characterized by a lack of transfer log verification.
Detect Suspicious HTTP Status Codes on tempo/session endpoint
mediumDetects unusual HTTP status codes on the tempo/session endpoint, potentially indicating vulnerability exploitation attempts.
Detection queries are available on the platform. Get full rules →