CVE-2026-34064: nimiq-account: Vesting insufficient funds error can panic
(updated )
VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error.
The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.
References
- github.com/advisories/GHSA-vc34-39q2-m6q3
- github.com/nimiq/core-rs-albatross
- github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0
- github.com/nimiq/core-rs-albatross/pull/3658
- github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3
- nvd.nist.gov/vuln/detail/CVE-2026-34064
Code Behaviors & Features
Detect and mitigate CVE-2026-34064 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →