GHSA-8x4m-qw58-3pcx

Impact

Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including:

• Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests
• Performing free tempo/charge requests due to missing transfer log verification in pull-mode
• Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding)
• Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing)
• Bypassing tempo/session voucher signature verification
• Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding
• Performing free tempo/session requests by exploiting channel reopen without on-chain settled state
• Accepting deductions on finalized tempo/session channels
• Bypassing payment on free routes via method-mismatch fallback
• Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)

Patches

Fixed in 0.4.8.

Workarounds

There are no workarounds available for these vulnerabilities.