EUVD-2026-25060
GHSA-vc34-39q2-m6q3
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Impact
VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error.
The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds.
AnalysisAI
Denial of service in Nimiq's vesting contract allows remote unauthenticated attackers to crash nodes by crafting a vesting contract with total_amount exceeding the actual contract balance, then triggering a panic during error handling when min_cap > balance. The vulnerability exploits insufficient validation of vesting contract creation data and integer underflow in the Coin::sub operation, affecting all versions before 1.3.0. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today