CVE-2026-59694
Received Received - Intake

Gas Fee Inflation in ZenHive mpp Library

Vulnerability report for CVE-2026-59694, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: EEF

Description

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin. When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. EIP-2930 access list entries incur intrinsic gas (~2,400 gas per address, plus 1,900 gas per storage key) charged before any opcode executes, regardless of whether the listed addresses are ever touched. A malicious client submits a valid transferWithMemo call alongside a large number of fabricated access-list entries. The server co-signs and broadcasts the transaction. The intended transfer executes normally, but the fee-payer wallet pays a large multiple of the expected gas cost with no corresponding on-chain work. At the maintainer's default of 137 access-list entries (fitting within Bandit's 10,000-byte per-header-field limit) and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier. Sustained abuse destroys the sponsor's operating margin on low-cost payments and, over time, drains the fee-payer wallet. This issue affects mpp: from 0.2.0 before 0.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zenhive mpp From 0.2.0 (inc) to 0.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the mpp library versions 0.2.0 to 0.5.9 when configured as a fee payer. An unauthenticated remote client can submit a valid transaction with a large number of fake EIP-2930 access-list entries. The server co-signs and broadcasts the transaction without validating the access list, causing the fee payer to incur significantly higher gas costs (~7.4x multiplier) due to intrinsic gas fees for unused entries.

Detection Guidance

Monitor for unusually high gas costs in transactions where the mpp library is configured as fee payer (fee_payer: true). Check for transactions with excessive EIP-2930 access list entries, as these inflate gas costs without corresponding on-chain work. Review logs for repeated transferWithMemo calls with large access lists.

Impact Analysis

If you are a fee payer using affected mpp versions, attackers can drain your wallet by forcing you to pay inflated gas fees for transactions. Sustained abuse can destroy operating margins and deplete funds. Users with fee_payer: false are unaffected.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR, HIPAA, or similar standards as it pertains to gas fee manipulation in blockchain transactions rather than data protection or privacy. However, sustained financial losses from gas fee abuse could indirectly impact operational budgets required for compliance measures.

Mitigation Strategies
  • Upgrade the mpp library to version 0.6.0 or later to apply the patch that enforces gas-related field validation and rejects non-empty access lists.
  • If upgrading is not immediately possible, disable the fee payer role by setting fee_payer: false to prevent the server from acting as a fee payer.
  • Implement monitoring to detect and block transactions with abnormally large access lists or gas parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart