Summary
During a routine audit of an Aster ecosystem trading integration, we discovered a critical vulnerability in the Model Context Protocol (MCP) Server-Sent Events (SSE) endpoint. The server accepted trade execution commands without any form of authentication.
Severity: P0 — Critical
Status: Disclosed, patch verified
CVSS: 9.8 (Network / Low complexity / No auth required)
The vulnerability
The MCP SSE server exposed a WebSocket-like event stream that accepted structured commands. The intended flow was:
- Client authenticates via JWT
- Client receives a session token
- Commands are validated against the session
What actually happened: step 1 and 2 were optional. The server accepted raw commands on the SSE stream without checking for any authentication header or session token.
POST /mcp/execute
Content-Type: application/json
{
"action": "trade",
"pair": "ASTER/USDC",
"side": "buy",
"amount": 10000
}
No Authorization header. No session cookie. No API key. The server executed the trade.
Impact
An attacker with network access to the endpoint could execute arbitrary trades, modify positions, and drain balances — all without credentials.
Timeline
- 2026-02-28 — Vulnerability discovered during audit
- 2026-03-01 — PoC developed, confirmed full trade execution
- 2026-03-02 — Disclosed to project team
- 2026-03-05 — Emergency patch deployed
- 2026-03-15 — Public writeup (coordinated)
Remediation
The fix required three changes: mandatory JWT validation on the SSE connection handshake, per-command signature verification using HMAC-SHA256, and rate limiting on the execute endpoint.
We verified the patch and confirmed all three controls are enforced.
This finding is part of our ongoing security research across the Aster ecosystem. If you want your project audited, request an audit.