Severity: Critical
CVSS Score: 9.3
### Impact Multiple vulnerabilities were discovered in `tempo/charge` and `tempo/session` which allowed for undesirable behaviors, including: - Replaying `tempo/charge` transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests - Performing free `tempo/charge` requests due to missing transfer log verification in pull-mode - Replaying `tempo/charge` credentials across routes via cross-route scope confusion (`memo`/`splits` not included in scope binding) - Manipulating the fee payer of a `tempo/charge` handler into paying for requests (missing sender signature before co-signing) - Bypassing `tempo/session` voucher signature verification - Piggybacking off existing `tempo/session` channels via settle voucher reuse and weak channel ID binding - Performing free `tempo/session` requests by exploiting channel reopen without on-chain settled state - Accepting deductions on finalized `tempo/session` channels - Bypassing payment on free routes via method-mismatch fallback - Griefing `tempo/session` channels via force-close detection bypass (`closeRequestedAt` not persisted) ### Patches Fixed in 0.4.8. ### Workarounds There are no workarounds available for these vulnerabilities.