Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 15 cargo packages depend on nimiq-account (6 direct, 9 indirect)
Ecosystem-wide dependent count for version 0.2.0.
DescriptionGitHub Advisory
Impact
VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error.
The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds.
AnalysisAI
Denial of service in Nimiq's vesting contract allows remote unauthenticated attackers to crash nodes by crafting a vesting contract with total_amount exceeding the actual contract balance, then triggering a panic during error handling when min_cap > balance. The vulnerability exploits insufficient validation of vesting contract creation data and integer underflow in the Coin::sub operation, affecting all versions before 1.3.0. Active exploitation would require ability to broadcast transactions to the Nimiq network.
Technical ContextAI
The vulnerability exists in the VestingContract::can_change_balance method within nimiq-account, a Rust crate used by Nimiq's blockchain node software. Vesting contracts are created with 32-byte encoded data that specifies a total_amount parameter, but this value is never validated against the actual contract balance (transaction value). When an attacker creates such a contract with total_amount > actual_balance and later attempts to trigger an outgoing transaction, the error handling path attempts to construct an AccountError::InsufficientFunds error by computing balance: self.balance - min_cap. Because min_cap > balance in the attacker-controlled state, the Coin::sub operation underflows and panics, crashing the node during mempool admission or block processing. This is a CWE-191 (Integer Underflow) flaw masked as error handling logic.
RemediationAI
Upgrade nimiq-account to version 1.3.0 or later, which includes the patch released via commit 4d01946f0b3d6c6e31786f91cdfb3eb902908da0 (merged in GitHub PR #3658). This patch adds validation to ensure total_amount <= actual contract balance during vesting contract creation, preventing the attacker-reachable state. For Nimiq node operators, this typically requires rebuilding the node software with the updated crate dependency and restarting the node. No workarounds are available, so patching is the only mitigation. Reference the official GitHub advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3 for update instructions specific to your deployment.
Same weakness CWE-191 – Integer Underflow
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25060
GHSA-vc34-39q2-m6q3