MPPX TypeScript Interface Vulnerability (CVE-2026-34209)
A vulnerability exists in mppx TypeScript interface before version 0.4.11, allowing attackers to close or grief channels for free by submitting close vouchers equal to the settled amount due to incorrect validation.
The mppx library is a TypeScript interface designed for machine payments protocols. A vulnerability, identified as CVE-2026-34209, exists in versions prior to 0.4.11. Specifically, the tempo/session cooperative close handler incorrectly validates close voucher amounts. Instead of using a less than or equal to (<=) comparison, it uses a less than (<) comparison when checking against the on-chain settled amount. This flaw allows a malicious actor to submit a close voucher with an amount…
Detection coverage 1
Detect Mismatched Close Voucher Amounts
mediumDetects close voucher submissions where the voucher amount equals the settled amount, potentially indicating exploitation of CVE-2026-34209.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
2