mppx Tempo/Session Cooperative Close Voucher Bypass Vulnerability

A vulnerability in the mppx TypeScript interface for the machine payments protocol, prior to version 0.4.11, allowed for a bypass in the tempo/session cooperative close voucher validation. The close handler incorrectly used a '<' comparison instead of '<=' against the on-chain settled amount. This flaw enabled an attacker to submit a close voucher equal to the settled amount, which would be accepted without adding any new funds, effectively closing the channel without cost or causing disruption.

Impact

Exploitation of this vulnerability allowed for unauthorized closure of payment channels in the tempo/session, effectively grieving the channel for free.

Reproduction

To reproduce this vulnerability, open a channel with a voucher amount of 1,000,000 units. After settling the channel on-chain, which confirms the settled amount as 1,000,000, attempt to close the channel using a voucher that exactly matches the settled amount. The system will incorrectly accept the voucher, closing the channel without requiring any additional funds.

Remediation

Users should update to mppx version 0.4.11 or later, where this vulnerability has been patched.