CVE-2026-34064

Name of the Vulnerable Software and Affected Versions nimiq-account versions prior to 1.3.0

Description The VestingContract::can change balance() function returns AccountError::InsufficientFunds when new balance is less than min cap, but it calculates the error balance using self.balance - min cap. Because Coin::sub panics on underflow, a node crashes if min cap is greater than balance. This state is reachable because the vesting contract creation data in 32-byte format allows encoding total amount without validating that it is less than or equal to the actual contract balance (transaction.value). An attacker can create such a contract and broadcast an outgoing transaction to trigger the panic during block processing and mempool admission.

Recommendations Update to version 1.3.0.