Piravlos

**Name of the Vulnerable Software and Affected Versions** nimiq-blockchain versions prior to 1.4.0 **Description** A malicious network peer can crash a Nimiq full node by publishing a crafted Kademlia DHT record. The record contains a `TaggedSigned<ValidatorRecord, KeyPair>` with a signature field whose byte length is not exactly 64. When the node's DHT verifier calls the `TaggedSigned::verify` function, execution reaches `Ed25519Signature::from bytes(sig).unwrap()` in the `TaggedPublicKey` implementation for `Ed25519PublicKey`. The `from bytes` call fails because `ed25519 zebra::Signature::try from` rejects slices that are not 64 bytes, causing the `unwrap()` function to panic and crash the node. This issue specifically affects the Ed25519 implementation, whereas the BLS `TaggedPublicKey` implementation correctly handles the error. **Recommendations** Update to version 1.4.0.