CVE-2026-34064 Overview
CVE-2026-34064 is an Integer Underflow vulnerability affecting the nimiq-account crate, which contains account primitives for Nimiq's Rust blockchain implementation. The vulnerability exists in the VestingContract::can_change_balance function, where improper arithmetic operations can cause a panic condition leading to node crashes.
Prior to version 1.3.0, the VestingContract::can_change_balance function returns AccountError::InsufficientFunds when new_balance < min_cap, but constructs the error using balance: self.balance - min_cap. The Coin::sub function panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while attempting to return an error.
Critical Impact
Attackers can crash Nimiq blockchain nodes by exploiting an integer underflow condition in vesting contract balance validation, potentially disrupting network consensus and availability.
Affected Products
- nimiq-account (Rust crate) versions prior to 1.3.0
- Nimiq core-rs-albatross versions prior to v1.3.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-34064 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-34064
Vulnerability Analysis
This vulnerability stems from CWE-191 (Integer Underflow) in the Nimiq blockchain's vesting contract implementation. The core issue lies in the error handling path of the VestingContract::can_change_balance function.
When a balance change is attempted that would result in new_balance < min_cap, the function attempts to construct an AccountError::InsufficientFunds error. However, the error construction calculates self.balance - min_cap using the Coin::sub operation, which panics when the result would be negative (i.e., when min_cap > balance).
The min_cap > balance precondition is attacker-reachable because the vesting contract creation data in 32-byte format allows encoding total_amount without validating that total_amount <= transaction.value (the real contract balance). This validation gap creates a path to trigger the vulnerable code.
Root Cause
The root cause is a missing validation check during vesting contract creation combined with unsafe arithmetic in error handling. The 32-byte contract creation format permits specifying a total_amount that exceeds the actual transaction.value deposited into the contract. When this malformed contract is later interacted with, the arithmetic underflow occurs during error construction rather than being safely handled.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker executes the following sequence:
- Create a vesting contract using the 32-byte format, specifying a total_amount value greater than the actual transaction.value deposited
- Broadcast an outgoing transaction from this malformed vesting contract
- When the node processes this transaction (during mempool admission or block processing), it invokes can_change_balance
- The function detects insufficient funds and attempts to construct an error, but Coin::sub panics due to the underflow condition
- The panic causes the node process to crash
This attack can target nodes during both mempool admission and block processing phases, potentially disrupting network consensus operations.
Detection Methods for CVE-2026-34064
Indicators of Compromise
- Unexpected Nimiq node crashes with panic messages referencing Coin::sub underflow
- Vesting contract creation transactions where total_amount exceeds transaction.value
- Repeated node restarts coinciding with specific transaction broadcasts
- Log entries showing panics in VestingContract::can_change_balance execution path
Detection Strategies
- Monitor Nimiq node logs for panic conditions related to arithmetic operations in vesting contract code
- Implement transaction validation rules to flag vesting contracts where total_amount exceeds deposited value
- Deploy node health monitoring to detect unexpected crashes and correlate with transaction activity
- Analyze mempool contents for transactions targeting known malformed vesting contracts
Monitoring Recommendations
- Configure alerting for Nimiq node process crashes and automatic restart events
- Monitor blockchain transaction patterns for anomalous vesting contract creation sequences
- Implement network-level monitoring to detect coordinated node crash attempts across the network
- Review node telemetry for elevated crash rates following specific transaction types
How to Mitigate CVE-2026-34064
Immediate Actions Required
- Upgrade nimiq-account and core-rs-albatross to version 1.3.0 or later immediately
- Review existing vesting contracts for potential malformed total_amount values
- Implement node restart automation with rate limiting to maintain availability during potential attacks
- Consider temporarily filtering vesting contract transactions at the mempool level until patched
Patch Information
The vulnerability is addressed in version 1.3.0 of Nimiq core-rs-albatross. The fix is available in commit 4d01946f0b3d6c6e31786f91cdfb3eb902908da0 and was merged via pull request #3658. The patched release is available at the v1.3.0 release page. Additional details are available in the GitHub Security Advisory.
Workarounds
- No official workarounds are available according to the security advisory
- Upgrading to version 1.3.0 is the only recommended remediation
- Network operators may consider implementing transaction filtering as a temporary measure pending upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
