Description
nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (node crash)
Action: Upgrade Node
AI Analysis

Impact

VestingContract::can_change_balance incorrectly builds an InsufficientFunds error by subtracting min_cap from balance, which can underflow when the vesting contract’s minimum cap exceeds the current account balance. This causes the underlying Coin::sub operation to panic, aborting the node during mempool admission or block validation. The failure manifests as a denial‑of‑service: fully functional Nimiq nodes crash, taking them offline until restarted.

Affected Systems

Affects Nimiq’s Rust‑based core, specifically the nimiq‑account module. All releases before v1.3.0 are susceptible. Version 1.3.0 and later contain the fix.

Risk and Exploitability

CVSS score 5.3 indicates moderate severity, and the EPSS is currently unavailable. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the panic by creating a vesting contract with total amount greater than the transaction value, and then broadcasting a transaction that invokes can_change_balance, which is reachable remotely through normal network operations. While no exploit code is publicly known, the conditions are straightforward enough that an attacker could craft a custom transaction, making the risk moderate but significant for nodes that accept unfiltered contracts.

Generated by OpenCVE AI on April 27, 2026 at 08:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nimiq core v1.3.0 or later, which contains the underflow patch.
  • If an upgrade is impossible, impose stricter validation on vesting contracts by ensuring total_amount does not exceed the transaction value before processing.
  • Continuously monitor node logs for panic events; if such an event occurs, isolate or restart the node to restore service.

Generated by OpenCVE AI on April 27, 2026 at 08:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc34-39q2-m6q3 nimiq-account: Vesting insufficient funds error can panic
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq nimiq-account
Vendors & Products Nimiq nimiq-account

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq nimiq Proof-of-stake
CPEs cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*
Vendors & Products Nimiq
Nimiq nimiq Proof-of-stake

Thu, 23 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Title nimiq-account: Vesting insufficient funds error can panic
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nimiq Nimiq-account Nimiq Proof-of-stake
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T16:25:19.186Z

Reserved: 2026-03-25T16:21:40.867Z

Link: CVE-2026-34064

cve-icon Vulnrichment

Updated: 2026-04-23T13:29:35.983Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T20:16:40.900

Modified: 2026-04-24T17:12:30.763

Link: CVE-2026-34064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:10Z

Weaknesses