mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher a…

A vulnerability in mppx, a TypeScript interface for machine payments protocol, allows attackers to bypass validation in the tempo/session cooperative close handler. The flaw uses incorrect comparison operator ('<' instead of '<=') when validating close voucher amounts against on-chain settled amounts. An attacker can submit a close voucher exactly equal to the settled amount, which gets accepted without committing new funds, effectively allowing free channel closure or griefing attacks. The vulnerability affects versions prior to 0.4.11 and has been patched in version 0.4.11.