fix: bind attribution memo nonce to challenge ID

Prevents transaction hash stealing by deriving the 7-byte memo nonce
from keccak256(challengeId)[0..6] instead of random bytes. The server
verifies this binding for both hash and transaction credentials,
rejecting payments whose memo nonce does not match the challenge.

- Attribution.encode() requires challengeId (no random fallback)
- Client Charge passes challenge.id when encoding attribution memo
- Server Charge verifies challenge-bound nonce for hash and transaction
- Server fingerprint also verified in assertChallengeBoundMemo
- Challenge binding skipped when explicit memo is set (already strict-matched)
- New tests: cross-challenge theft, non-MPP memo rejection, split payments

Author: brendanjryan

.changeset/challenge-bound-memo.md

@@ -0,0 +1,7 @@
+---
+'mppx': patch
+---
+
+Bind attribution memo nonce to challenge ID. The 7-byte nonce field (bytes 25–31) is now derived from `keccak256(challengeId)[0..6]` instead of random bytes, preventing transaction hash stealing in push mode. `Attribution.encode()` now requires `challengeId`. The server verifies challenge binding and server fingerprint for `hash` (push) credentials. Pull-mode `transaction` credentials are not affected — the server controls broadcast, so there is no hash-stealing risk.
+
+**Breaking:** `Attribution.encode()` now requires `challengeId` — callers must pass the challenge ID to generate a memo. Old push-mode clients that generate random attribution nonces or plain transfers without memos are rejected by the server. Pull-mode clients are unaffected.

AGENTS.md

@@ -142,6 +142,22 @@ id = base64url(HMAC-SHA256(server_secret, input))
 
 **Verification:** Server recomputes HMAC from echoed challenge parameters and compares to `id`. If mismatch, reject credential.
 
+## Changesets
+
+**Never manually edit `CHANGELOG.md`.** Use [changesets](https://github.com/changesets/changesets) instead:
+
+Create a `.changeset/<name>.md` file with frontmatter specifying the package and bump type:
+
+```md
+---
+'mppx': patch
+---
+
+Description of the change.
+```
+
+The changelog is auto-generated from changesets during `changeset version`.
+
 ## Commands
 
 ```bash

src/tempo/Attribution.test.ts

@@ -16,27 +16,38 @@ describe('Attribution', () => {
 
   describe('encode', () => {
     test('returns a 32-byte hex string', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       // 0x prefix + 64 hex chars = 32 bytes
       expect(memo).toMatch(/^0x[0-9a-f]{64}$/i)
     })
 
     test('starts with TAG + version byte', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const tag = memo.slice(0, 10) // 0x + 8 hex chars
       expect(tag.toLowerCase()).toBe(Attribution.tag.toLowerCase())
       const version = memo.slice(10, 12)
       expect(version).toBe('01')
     })
 
-    test('generates unique memos (random nonce)', () => {
-      const a = Attribution.encode({ serverId: 'api.example.com' })
-      const b = Attribution.encode({ serverId: 'api.example.com' })
+    test('produces deterministic memos (challenge-bound nonce)', () => {
+      const a = Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' })
+      const b = Attribution.encode({ challengeId: 'challenge-b', serverId: 'api.example.com' })
       expect(a).not.toBe(b)
+      const c = Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' })
+      expect(a).toBe(c)
     })
 
     test('encodes server fingerprint from serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const expectedFingerprint = Hex.slice(
         Hash.keccak256(Bytes.fromString('api.example.com'), { as: 'Hex' }),
         0,
@@ -47,7 +58,11 @@ describe('Attribution', () => {
     })
 
     test('encodes client fingerprint from clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const expectedFingerprint = Hex.slice(
         Hash.keccak256(Bytes.fromString('my-app'), { as: 'Hex' }),
         0,
@@ -58,13 +73,20 @@ describe('Attribution', () => {
     })
 
     test('encodes zero client bytes when no clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const clientHex = `0x${memo.slice(32, 52)}` as `0x${string}`
       expect(clientHex).toBe(Attribution.anonymous)
     })
 
     test('treats empty string clientId as anonymous', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: '' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: '',
+        serverId: 'api.example.com',
+      })
       const clientHex = `0x${memo.slice(32, 52)}` as `0x${string}`
       expect(clientHex).toBe(Attribution.anonymous)
       const decoded = Attribution.decode(memo)
@@ -75,12 +97,19 @@ describe('Attribution', () => {
 
   describe('isMppMemo', () => {
     test('returns true for encoded memos', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.isMppMemo(memo)).toBe(true)
     })
 
     test('returns true for encoded memos with clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.isMppMemo(memo)).toBe(true)
     })
 
@@ -101,13 +130,19 @@ describe('Attribution', () => {
     })
 
     test('returns false for wrong version', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const wrongVersion = `${memo.slice(0, 10)}ff${memo.slice(12)}` as `0x${string}`
       expect(Attribution.isMppMemo(wrongVersion)).toBe(false)
     })
 
     test('handles mixed case hex', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const tagUpper = memo.slice(0, 10).toUpperCase()
       const mixed = `0x${tagUpper.slice(2)}${memo.slice(10)}` as `0x${string}`
       expect(Attribution.isMppMemo(mixed)).toBe(true)
@@ -116,17 +151,27 @@ describe('Attribution', () => {
 
   describe('verifyServer', () => {
     test('returns true for matching serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'api.example.com')).toBe(true)
     })
 
     test('returns true for matching serverId with clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'api.example.com')).toBe(true)
     })
 
     test('returns false for wrong serverId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       expect(Attribution.verifyServer(memo, 'other.example.com')).toBe(false)
     })
 
@@ -139,7 +184,11 @@ describe('Attribution', () => {
 
   describe('decode', () => {
     test('decodes an encoded memo with serverId and clientId', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)
       expect(result).not.toBeNull()
       expect(result!.version).toBe(1)
@@ -150,7 +199,10 @@ describe('Attribution', () => {
     })
 
     test('decodes anonymous client as null', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)
       expect(result).not.toBeNull()
       expect(result!.clientFingerprint).toBeNull()
@@ -162,14 +214,22 @@ describe('Attribution', () => {
       expect(Attribution.decode(arbitrary)).toBeNull()
     })
 
-    test('different encodes produce different nonces', () => {
-      const a = Attribution.decode(Attribution.encode({ serverId: 'api.example.com' }))
-      const b = Attribution.decode(Attribution.encode({ serverId: 'api.example.com' }))
+    test('different challengeIds produce different nonces', () => {
+      const a = Attribution.decode(
+        Attribution.encode({ challengeId: 'challenge-a', serverId: 'api.example.com' }),
+      )
+      const b = Attribution.decode(
+        Attribution.encode({ challengeId: 'challenge-b', serverId: 'api.example.com' }),
+      )
       expect(a!.nonce).not.toBe(b!.nonce)
     })
 
     test('serverId fingerprint matches expected keccak hash', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        clientId: 'my-app',
+        serverId: 'api.example.com',
+      })
       const result = Attribution.decode(memo)!
       const expectedServer = Hex.slice(
         Hash.keccak256(Bytes.fromString('api.example.com'), { as: 'Hex' }),
@@ -180,9 +240,55 @@ describe('Attribution', () => {
     })
 
     test('returns null for wrong version via decode', () => {
-      const memo = Attribution.encode({ serverId: 'api.example.com' })
+      const memo = Attribution.encode({
+        challengeId: 'test-challenge-1',
+        serverId: 'api.example.com',
+      })
       const corrupted = `${memo.slice(0, 10)}ff${memo.slice(12)}` as `0x${string}`
       expect(Attribution.decode(corrupted)).toBeNull()
     })
   })
+
+  describe('challengeNonce', () => {
+    test('returns 7 bytes', () => {
+      const nonce = Attribution.challengeNonce('challenge-123')
+      expect(nonce.length).toBe(7)
+    })
+
+    test('is deterministic', () => {
+      const a = Attribution.challengeNonce('challenge-123')
+      const b = Attribution.challengeNonce('challenge-123')
+      expect(Hex.fromBytes(a)).toBe(Hex.fromBytes(b))
+    })
+
+    test('differs for different challengeIds', () => {
+      const a = Attribution.challengeNonce('challenge-123')
+      const b = Attribution.challengeNonce('challenge-456')
+      expect(Hex.fromBytes(a)).not.toBe(Hex.fromBytes(b))
+    })
+  })
+
+  describe('verifyChallengeBinding', () => {
+    test('returns true for matching challengeId', () => {
+      const memo = Attribution.encode({
+        challengeId: 'challenge-123',
+        serverId: 'api.example.com',
+      })
+      expect(Attribution.verifyChallengeBinding(memo, 'challenge-123')).toBe(true)
+    })
+
+    test('returns false for wrong challengeId', () => {
+      const memo = Attribution.encode({
+        challengeId: 'challenge-123',
+        serverId: 'api.example.com',
+      })
+      expect(Attribution.verifyChallengeBinding(memo, 'challenge-456')).toBe(false)
+    })
+
+    test('returns false for non-MPP memo', () => {
+      const arbitrary =
+        '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' as `0x${string}`
+      expect(Attribution.verifyChallengeBinding(arbitrary, 'challenge-123')).toBe(false)
+    })
+  })
 })

src/tempo/Attribution.ts

@@ -14,7 +14,7 @@ import { Bytes, Hash, Hex } from 'ox'
  * | 4      | 1    | version (0x01)                            |
  * | 5..14  | 10   | serverId = keccak256(serverId)[0..9]       |
  * | 15..24 | 10   | clientId = keccak256(clientId)[0..9] or 0s |
- * | 25..31 | 7    | nonce (random bytes)                      |
+ * | 25..31 | 7    | nonce = keccak256(challengeId)[0..6]      |
  *
  * The TAG prefix makes MPP transactions trivially distinguishable
  * from arbitrary memos via `TransferWithMemo` event topic filtering.
@@ -50,30 +50,34 @@ function fingerprint(value: string): Uint8Array {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+ * const memo = Attribution.encode({ challengeId: 'challenge-123', clientId: 'my-app', serverId: 'api.example.com' })
  * ```
  */
 export function encode(parameters: encode.Parameters) {
-  const { serverId, clientId } = parameters
+  const { serverId, clientId, challengeId } = parameters
   const buf = new Uint8Array(32)
 
   buf.set(Hex.toBytes(tag), 0)
   buf[4] = version
   buf.set(fingerprint(serverId), 5)
   if (clientId) buf.set(fingerprint(clientId), 15)
 
-  const nonce = crypto.getRandomValues(new Uint8Array(7))
-  buf.set(nonce, 25)
+  // Derive the nonce from keccak256(challengeId)[0..6] to bind the memo
+  // to the challenge and prevent transaction hash stealing.
+  // TODO: expand to full memo verification once the server tracks the complete attribution payload.
+  buf.set(challengeNonce(challengeId), 25)
 
   return Hex.fromBytes(buf)
 }
 
 export declare namespace encode {
   type Parameters = {
-    /** Server identity used to derive the server fingerprint. */
-    serverId: string
+    /** Challenge ID used to derive a deterministic nonce, binding the memo to the challenge. */
+    challengeId: string
     /** Optional client identity used to derive the client fingerprint. */
     clientId?: string | undefined
+    /** Server identity used to derive the server fingerprint. */
+    serverId: string
   }
 }
 
@@ -87,7 +91,7 @@ export declare namespace encode {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * Attribution.isMppMemo(Attribution.encode({ serverId: 'api.example.com' })) // true
+ * Attribution.isMppMemo(Attribution.encode({ challengeId: 'challenge-123', serverId: 'api.example.com' })) // true
  * Attribution.isMppMemo('0x0000...0000')      // false
  * ```
  */
@@ -124,7 +128,7 @@ export function verifyServer(memo: `0x${string}`, serverId: string): boolean {
  * ```ts
  * import * as Attribution from './Attribution.js'
  *
- * const memo = Attribution.encode({ serverId: 'api.example.com', clientId: 'my-app' })
+ * const memo = Attribution.encode({ challengeId: 'challenge-123', clientId: 'my-app', serverId: 'api.example.com' })
  * const decoded = Attribution.decode(memo)
  * // { version: 1, serverFingerprint: '0x...', clientFingerprint: '0x...', nonce: '0x...' }
  * ```
@@ -150,7 +154,32 @@ export declare namespace decode {
     serverFingerprint: `0x${string}`
     /** 10-byte client fingerprint hex, or `null` if anonymous. */
     clientFingerprint: `0x${string}` | null
-    /** 7-byte random nonce hex. */
+    /** 7-byte challenge-bound nonce hex (keccak256(challengeId)[0..6]). */
     nonce: `0x${string}`
   }
 }
+
+/**
+ * Computes the 7-byte challenge-bound nonce: keccak256(challengeId)[0..6].
+ * @internal
+ */
+export function challengeNonce(challengeId: string): Uint8Array {
+  const hash = Hash.keccak256(Bytes.fromString(challengeId), { as: 'Hex' })
+  return Hex.toBytes(Hex.slice(hash, 0, 7))
+}
+
+/**
+ * Verifies that a memo's nonce is bound to the given challengeId.
+ *
+ * Checks TAG, version byte, and that bytes 25–31 equal keccak256(challengeId)[0..6].
+ *
+ * @param memo - A `0x`-prefixed hex string (bytes32).
+ * @param challengeId - The expected challenge ID.
+ * @returns `true` if the memo has a valid MPP tag and matching challenge nonce.
+ */
+export function verifyChallengeBinding(memo: `0x${string}`, challengeId: string): boolean {
+  const decoded = decode(memo)
+  if (!decoded) return false
+  const expectedNonce = Hex.fromBytes(challengeNonce(challengeId))
+  return decoded.nonce.toLowerCase() === expectedNonce.toLowerCase()
+}