mppx 0.5.4 → 0.5.6

package/src/tempo/Attribution.test.ts

@@ -16,27 +16,38 @@ describe('Attribution', () => {
 
   describe('encode', () => {
     test('returns a 32-byte hex string', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       // 0x prefix + 64 hex chars = 32 bytes
       expect(memo).toMatch(/^0x[0-9a-f]{64}$/i)
     })
 
     test('starts with TAG + version byte', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const tag = memo.slice(0, 10) // 0x + 8 hex chars
       expect(tag.toLowerCase()).toBe(Attribution.tag.toLowerCase())
       const version = memo.slice(10, 12)
       expect(version).toBe('01')
     })
 
-    test('generates unique memos (random nonce)', () => {
-      const a = Attribution.encode({ serverId: 'api.example.com' })
-      const b = Attribution.encode({ serverId: 'api.example.com' })
+    test('produces deterministic memos (challenge-bound nonce)', () => {
+      const a = Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' })
+      const b = Attribution.encode({ challengeId: 'challenge-b', serverId: 'api.example.com' })
       expect(a).not.toBe(b)
+      const c = Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' })
+      expect(a).toBe(c)
     })
 
     test('encodes server fingerprint from serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const expectedFingerprint = Hex.slice(
         Hash.keccak256(Bytes.fromString('api.example.com'), { as: 'Hex' }),
         0,
@@ -47,7 +58,11 @@ describe('Attribution', () => {
     })
 
     test('encodes client fingerprint from clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const expectedFingerprint = Hex.slice(
         Hash.keccak256(Bytes.fromString('my-app'), { as: 'Hex' }),
         0,
@@ -58,13 +73,20 @@ describe('Attribution', () => {
     })
 
     test('encodes zero client bytes when no clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const clientHex = `0x${memo.slice(32, 52)}` as `0x${string}`
       expect(clientHex).toBe(Attribution.anonymous)
     })
 
     test('treats empty string clientId as anonymous', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: '' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: '',
+        serverId: 'api.example.com',
+      })
       const clientHex = `0x${memo.slice(32, 52)}` as `0x${string}`
       expect(clientHex).toBe(Attribution.anonymous)
       const decoded = Attribution.decode(memo)
@@ -75,12 +97,19 @@ describe('Attribution', () => {
 
   describe('isMppMemo', () => {
     test('returns true for encoded memos', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.isMppMemo(memo)).toBe(true)
     })
 
     test('returns true for encoded memos with clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.isMppMemo(memo)).toBe(true)
     })
 
@@ -101,13 +130,19 @@ describe('Attribution', () => {
     })
 
     test('returns false for wrong version', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const wrongVersion = `${memo.slice(0, 10)}ff${memo.slice(12)}` as `0x${string}`
       expect(Attribution.isMppMemo(wrongVersion)).toBe(false)
     })
 
     test('handles mixed case hex', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const tagUpper = memo.slice(0, 10).toUpperCase()
       const mixed = `0x${tagUpper.slice(2)}${memo.slice(10)}` as `0x${string}`
       expect(Attribution.isMppMemo(mixed)).toBe(true)
@@ -116,17 +151,27 @@ describe('Attribution', () => {
 
   describe('verifyServer', () => {
     test('returns true for matching serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'api.example.com')).toBe(true)
     })
 
     test('returns true for matching serverId with clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'api.example.com')).toBe(true)
     })
 
     test('returns false for wrong serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'other.example.com')).toBe(false)
     })
 
@@ -139,7 +184,11 @@ describe('Attribution', () => {
 
   describe('decode', () => {
     test('decodes an encoded memo with serverId and clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)
       expect(result).not.toBeNull()
       expect(result!.version).toBe(1)
@@ -150,7 +199,10 @@ describe('Attribution', () => {
     })
 
     test('decodes anonymous client as null', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)
       expect(result).not.toBeNull()
       expect(result!.clientFingerprint).toBeNull()
@@ -162,14 +214,22 @@ describe('Attribution', () => {
       expect(Attribution.decode(arbitrary)).toBeNull()
     })
 
-    test('different encodes produce different nonces', () => {
-      const a = Attribution.decode(Attribution.encode({ serverId: 'api.example.com' }))
-      const b = Attribution.decode(Attribution.encode({ serverId: 'api.example.com' }))
+    test('different challengeIds produce different nonces', () => {
+      const a = Attribution.decode(
+        Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' }),
+      )
+      const b = Attribution.decode(
+        Attribution.encode({ challengeId: 'challenge-b', serverId: 'api.example.com' }),
+      )
       expect(a!.nonce).not.toBe(b!.nonce)
     })
 
     test('serverId fingerprint matches expected keccak hash', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)!
       const expectedServer = Hex.slice(
         Hash.keccak256(Bytes.fromString('api.example.com'), { as: 'Hex' }),
@@ -180,9 +240,55 @@ describe('Attribution', () => {
     })
 
     test('returns null for wrong version via decode', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const corrupted = `${memo.slice(0, 10)}ff${memo.slice(12)}` as `0x${string}`
       expect(Attribution.decode(corrupted)).toBeNull()
     })
   })
+
+  describe('challengeNonce', () => {
+    test('returns 7 bytes', () => {
+      const nonce = Attribution.challengeNonce('challenge-123')
+      expect(nonce.length).toBe(7)
+    })
+
+    test('is deterministic', () => {
+      const a = Attribution.challengeNonce('challenge-123')
+      const b = Attribution.challengeNonce('challenge-123')
+      expect(Hex.fromBytes(a)).toBe(Hex.fromBytes(b))
+    })
+
+    test('differs for different challengeIds', () => {
+      const a = Attribution.challengeNonce('challenge-123')
+      const b = Attribution.challengeNonce('challenge-456')
+      expect(Hex.fromBytes(a)).not.toBe(Hex.fromBytes(b))
+    })
+  })
+
+  describe('verifyChallengeBinding', () => {
+    test('returns true for matching challengeId', () => {
+      const memo = Attribution.encode({
+        challengeId: 'challenge-123',
+        serverId: 'api.example.com',
+      })
+      expect(Attribution.verifyChallengeBinding(memo, 'challenge-123')).toBe(true)
+    })
+
+    test('returns false for wrong challengeId', () => {
+      const memo = Attribution.encode({
+        challengeId: 'challenge-123',
+        serverId: 'api.example.com',
+      })
+      expect(Attribution.verifyChallengeBinding(memo, 'challenge-456')).toBe(false)
+    })
+
+    test('returns false for non-MPP memo', () => {
+      const arbitrary =
+        '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' as `0x${string}`
+      expect(Attribution.verifyChallengeBinding(arbitrary, 'challenge-123')).toBe(false)
+    })
+  })
 })

package/src/tempo/Attribution.ts

@@ -14,7 +14,7 @@ import { Bytes, Hash, Hex } from 'ox'
  * | 4      | 1    | version (0x01)                            |
  * | 5..14  | 10   | serverId = keccak256(serverId)[0..9]       |
  * | 15..24 | 10   | clientId = keccak256(clientId)[0..9] or 0s |
- * | 25..31 | 7    | nonce (random bytes)                      |
+ * | 25..31 | 7    | nonce = keccak256(challengeId)[0..6]      |
  *
  * The TAG prefix makes MPP transactions trivially distinguishable
  * from arbitrary memos via `TransferWithMemo` event topic filtering.
@@ -50,11 +50,11 @@ function fingerprint(value: string): Uint8Array {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+ * const memo = Attribution.encode({ challengeId: 'challenge-123', clientId: 'my-app', serverId: 'api.example.com' })
  * ```
  */
 export function encode(parameters: encode.Parameters) {
-  const { serverId, clientId } = parameters
+  const { serverId, clientId, challengeId } = parameters
   const buf = new Uint8Array(32)
 
   buf.set(Hex.toBytes(tag), 0)
@@ -62,18 +62,22 @@ export function encode(parameters: encode.Parameters) {
   buf.set(fingerprint(serverId), 5)
   if (clientId) buf.set(fingerprint(clientId), 15)
 
-  const nonce = crypto.getRandomValues(new Uint8Array(7))
-  buf.set(nonce, 25)
+  // Derive the nonce from keccak256(challengeId)[0..6] to bind the memo
+  // to the challenge and prevent transaction hash stealing.
+  // TODO: expand to full memo verification once the server tracks the complete attribution payload.
+  buf.set(challengeNonce(challengeId), 25)
 
   return Hex.fromBytes(buf)
 }
 
 export declare namespace encode {
   type Parameters = {
-    /** Server identity used to derive the server fingerprint. */
-    serverId: string
+    /** Challenge ID used to derive a deterministic nonce, binding the memo to the challenge. */
+    challengeId: string
     /** Optional client identity used to derive the client fingerprint. */
     clientId?: string | undefined
+    /** Server identity used to derive the server fingerprint. */
+    serverId: string
   }
 }
 
@@ -87,7 +91,7 @@ export declare namespace encode {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * Attribution.isMppMemo(Attribution.encode({ serverId: 'api.example.com' })) // true
+ * Attribution.isMppMemo(Attribution.encode({ challengeId: 'challenge-123', serverId: 'api.example.com' })) // true
  * Attribution.isMppMemo('0x0000...0000')      // false
  * ```
  */
@@ -124,7 +128,7 @@ export function verifyServer(memo: `0x${string}`, serverId: string): boolean {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+ * const memo = Attribution.encode({ challengeId: 'challenge-123', clientId: 'my-app', serverId: 'api.example.com' })
  * const decoded = Attribution.decode(memo)
  * // { version: 1, serverFingerprint: '0x...', clientFingerprint: '0x...', nonce: '0x...' }
  * ```
@@ -150,7 +154,32 @@ export declare namespace decode {
     serverFingerprint: `0x${string}`
     /** 10-byte client fingerprint hex, or `null` if anonymous. */
     clientFingerprint: `0x${string}` | null
-    /** 7-byte random nonce hex. */
+    /** 7-byte challenge-bound nonce hex (keccak256(challengeId)[0..6]). */
     nonce: `0x${string}`
   }
 }
+
+/**
+ * Computes the 7-byte challenge-bound nonce: keccak256(challengeId)[0..6].
+ * @internal
+ */
+export function challengeNonce(challengeId: string): Uint8Array {
+  const hash = Hash.keccak256(Bytes.fromString(challengeId), { as: 'Hex' })
+  return Hex.toBytes(Hex.slice(hash, 0, 7))
+}
+
+/**
+ * Verifies that a memo's nonce is bound to the given challengeId.
+ *
+ * Checks TAG, version byte, and that bytes 25–31 equal keccak256(challengeId)[0..6].
+ *
+ * @param memo - A `0x`-prefixed hex string (bytes32).
+ * @param challengeId - The expected challenge ID.
+ * @returns `true` if the memo has a valid MPP tag and matching challenge nonce.
+ */
+export function verifyChallengeBinding(memo: `0x${string}`, challengeId: string): boolean {
+  const decoded = decode(memo)
+  if (!decoded) return false
+  const expectedNonce = Hex.fromBytes(challengeNonce(challengeId))
+  return decoded.nonce.toLowerCase() === expectedNonce.toLowerCase()
+}

package/src/tempo/client/Charge.ts

@@ -92,7 +92,7 @@ export function charge(parameters: charge.Parameters = {}) {
 
       const memo = methodDetails?.memo
         ? (methodDetails.memo as Hex.Hex)
-        : Attribution.encode({ serverId: challenge.realm, clientId })
+        : Attribution.encode({ challengeId: challenge.id, clientId, serverId: challenge.realm })
       const transfers = Charge_internal.getTransfers({
         amount,
         methodDetails: {

package/src/tempo/server/Charge.test.ts

@@ -154,6 +154,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
         to: challenge1.request.recipient as Hex.Hex,
         token: challenge1.request.currency as Hex.Hex,
       })
@@ -231,6 +232,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
         to: challenge1.request.recipient as Hex.Hex,
         token: challenge1.request.currency as Hex.Hex,
       })
@@ -314,6 +316,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
         to: challenge1.request.recipient as Hex.Hex,
         token: challenge1.request.currency as Hex.Hex,
       })
@@ -477,6 +480,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
         to: challenge1.request.recipient as Hex.Hex,
         token: challenge1.request.currency as Hex.Hex,
       })
@@ -554,6 +558,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
         to: challenge1.request.recipient as Hex.Hex,
         token: challenge1.request.currency as Hex.Hex,
       })
@@ -635,6 +640,7 @@ describe('tempo', () => {
       const { receipt } = await Actions.token.transferSync(client, {
         account: accounts[1],
         amount: BigInt(challenge.request.amount),
+        memo: Attribution.encode({ challengeId: challenge.id, serverId: realm }) as Hex.Hex,
         to: challenge.request.recipient as Hex.Hex,
         token: challenge.request.currency as Hex.Hex,
       })
@@ -1570,7 +1576,7 @@ describe('tempo', () => {
       })
       const request = challenge.request
 
-      const memo = Attribution.encode({ serverId: challenge.realm })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
 
       // Build a transaction with the valid transfer + a rogue extra call
       const transferCall = Actions.token.transfer.call({
@@ -2880,7 +2886,11 @@ describe('tempo', () => {
 
       expect(challenge.request.methodDetails?.memo).toBeUndefined()
 
-      const memo = Attribution.encode({ serverId: challenge.realm, clientId: 'test-app' })
+      const memo = Attribution.encode({
+        challengeId: challenge.id,
+        clientId: 'test-app',
+        serverId: challenge.realm,
+      })
       expect(Attribution.isMppMemo(memo)).toBe(true)
       expect(Attribution.verifyServer(memo, realm)).toBe(true)
 
@@ -2926,7 +2936,7 @@ describe('tempo', () => {
         methods: [tempo_client.charge()],
       })
 
-      const memo = Attribution.encode({ serverId: challenge.realm })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
       const decoded = Attribution.decode(memo)
       expect(decoded).not.toBeNull()
       expect(decoded!.clientFingerprint).toBeNull()
@@ -2986,7 +2996,7 @@ describe('tempo', () => {
       httpServer.close()
     })
 
-    test('server accepts plain transfer without memo', async () => {
+    test('server rejects plain transfer without challenge-bound memo', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
           server.charge({ amount: '1', decimals: 6 }),
@@ -3018,7 +3028,197 @@ describe('tempo', () => {
         const response = await fetch(httpServer.url, {
           headers: { Authorization: Credential.serialize(credential) },
         })
-        expect(response.status).toBe(200)
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('memo is not bound to this challenge')
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash with wrong challenge nonce (stolen tx)', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      // Get two different challenges
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+
+      // Legitimate transfer bound to challenge1
+      const memo = Attribution.encode({ challengeId: challenge1.id, serverId: realm })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+
+      // Attacker tries to use this tx hash against challenge2
+      const credential = Credential.from({
+        challenge: challenge2,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('memo is not bound to this challenge')
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash with non-MPP memo', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+
+      // Transfer with an arbitrary non-MPP memo
+      const arbitraryMemo =
+        '0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' as Hex.Hex
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: arbitraryMemo,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('memo is not bound to this challenge')
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash when challenge nonce is on dust transfer, not payment', async () => {
+      const dedupStore = Store.memory()
+      const chargeServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: dedupStore,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          chargeServer.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      // Get two challenges
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challengeA = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challengeB = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+
+      // Craft a multi-call tx: primary payment with challengeA's nonce,
+      // plus a same-currency dust transfer with challengeB's nonce.
+      // Without matched-log binding, the dust transfer would satisfy
+      // challengeB's binding check on the same tx hash.
+      const memoA = Attribution.encode({ challengeId: challengeA.id, serverId: realm })
+      const memoB = Attribution.encode({ challengeId: challengeB.id, serverId: realm })
+
+      // Broadcast a multi-call tx: payment to the merchant with challengeA's
+      // nonce, plus a same-currency dust transfer with challengeB's nonce.
+      const prepared = await prepareTransactionRequest(client, {
+        account: accounts[1]!,
+        calls: [
+          Actions.token.transfer.call({
+            amount: BigInt(challengeA.request.amount),
+            memo: memoA as Hex.Hex,
+            to: challengeA.request.recipient as Hex.Hex,
+            token: challengeA.request.currency as Hex.Hex,
+          }),
+          // Dust transfer with challengeB's nonce — the exploit vector
+          Actions.token.transfer.call({
+            amount: 1n,
+            memo: memoB as Hex.Hex,
+            to: accounts[2].address,
+            token: challengeA.request.currency as Hex.Hex,
+          }),
+        ],
+        nonceKey: 'expiring',
+      } as never)
+      prepared.gas = prepared.gas! + 5_000n
+      const sig = await signTransaction(client, prepared as never)
+      const { transactionHash } = await (
+        await import('viem/actions')
+      ).sendRawTransactionSync(client, {
+        serializedTransaction: sig,
+      })
+
+      // Submit hash against challengeB — the matched payment log (to the
+      // merchant for the correct amount) carries challengeA's nonce. The dust
+      // transfer carries challengeB's nonce but should NOT satisfy the check
+      // since it wasn't the matched payment log.
+      {
+        const credential = Credential.from({
+          challenge: challengeB,
+          payload: { hash: transactionHash, type: 'hash' as const },
+        })
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('memo is not bound to this challenge')
       }
 
       httpServer.close()