Listen to this Post
The vulnerability exists in Nimiq’s blockchain implementation (core‑rs‑albatross). Block timestamp validation currently enforces:
– `timestamp >= parent.timestamp` for non‑skip blocks.
– `timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT` for skip blocks.
However, there is no upper bound check against the actual wall clock. This means a malicious block‑producing validator can set a block’s timestamp arbitrarily far into the future – minutes, days, or even years ahead. When the network processes such a block, reward calculation functions (specifically `Policy::supply_at()` and `batch_delay()` in blockchain/src/reward.rs) rely on the manipulated timestamp. Because the emission schedule is tied to the passage of time, the inflated timestamp causes the reward logic to compute a much larger monetary supply than intended. Consequently, a validator can artificially inflate the total supply, leading to unexpected minting of tokens and severe economic disruption.
DailyCVE form (3 words max per line)
Platform: Nimiq Blockchain
Version: 1.3.0 earlier
Vulnerability : Missing clock bound
Severity: Critical
date: 2026‑04‑09
Prediction: Patch 2026‑06‑01
What Undercode Say:
Analytics – Bash commands to detect vulnerable nodes and verify timestamp manipulation
Check running Nimiq version (if binary accessible)
nimiq-node --version | grep -E "1.3.[0-9]" && echo "VULNERABLE"
Query local blockchain for recent blocks and timestamps
curl -s --data '{"jsonrpc":"2.0","id":1,"method":"getBlockByNumber","params":["latest",false]}' \
-H "Content-Type: application/json" -X POST http://localhost:8648/ | jq '.result.timestamp'
Monitor block timestamps for anomalous future values (e.g., beyond current time)
while true; do
latest=$(curl -s --data '{"jsonrpc":"2.0","id":1,"method":"getBlockByNumber","params":["latest",false]}' \
-H "Content-Type: application/json" -X POST http://localhost:8648/ | jq -r '.result.timestamp')
now=$(date +%s)
if [ "$latest" -gt "$now" ]; then
echo "ALERT: Block timestamp ($latest) is in the future (current: $now)"
fi
sleep 10
done
How Exploit:
A validator that is allowed to produce blocks crafts a new block and sets its `timestamp` field to a very high value (e.g., `U64::MAX` or now + 1 year). Because only lower‑bound checks exist, the block passes validation. The network then uses this future timestamp in `Policy::supply_at()` and batch_delay(), causing the reward calculation to think that much more time has elapsed, thereby minting excessive coins.
Protection from this CVE:
- Upgrade the Nimiq node to a patched version once available (expected June 2026).
- Manually enforce an upper bound in block validation logic, e.g., reject any block whose timestamp exceeds `current_wall_clock + MAX_DRIFT` (e.g., 5 minutes).
- Monitor block timestamps for values that exceed the local system time by an unreasonable margin.
Impact:
- Economic disruption: Inflated monetary supply breaks the intended emission schedule, devaluing the token.
- Reward miscalculation: Validators and stakers receive incorrect rewards, potentially leading to unfair distribution or loss of funds.
- Consensus instability: Future timestamps can desynchronize the network, cause fork disagreements, or allow malicious validators to manipulate reward payouts at will.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

