CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::can change balance returns AccountError::InsufficientFunds when new balance < min cap, but it constructs the error using balance: self.balance - min cap. Coin::sub panics on underflow, so if an attacker can reach a state where min cap > balance, the node crashes while trying to return an error. The min cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total amount without validating total amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.