CVE-2026-34068

Name of the Vulnerable Software and Affected Versions nimiq-transaction versions prior to 1.3.0

Description The staking contract accepts UpdateValidator transactions that set new voting key=Some(...) while omitting new proof of knowledge. This bypasses the proof-of-knowledge requirement necessary to prevent BLS rogue-key attacks during public key aggregation. Since tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set could allow an attacker to forge a quorum-looking justification using only a single signature. Exploitability is low because voting keys are fixed for the epoch, requiring the attacker to know the next epoch validator set chosen through VRF (Verifiable Random Function).

Recommendations Update to version 1.3.0.