Nimiq (Rust implementation), Logic Flaw, CVE-2026-46539 (Moderate)

Listen to this Post

The vulnerability resides in the `BlockInclusionProof::is_block_proven` function. Under normal operation, this function performs a cryptographic verification of a block’s inclusion using the blockchain’s interlink structure. The `get_interlink_hops` function is called to gather the necessary hops for this proof. However, a logic flaw occurs when the target block is positioned exactly at the election block that immediately precedes the election head’s epoch. In this specific scenario, `get_interlink_hops` returns an empty hop list. The `is_block_proven` function, due to this flaw, interprets the empty list as a successful verification and returns `true` without performing any hash or signature checks. An attacker can exploit this by submitting forged transaction inclusion proofs, including a fabricated MacroBlock header for that epoch. The network, relying on is_block_proven, would accept this forged header as cryptographically valid, effectively bypassing the entire proof-of-inclusion security mechanism. This issue is rooted in the improper handling of edge cases in the interlink hop calculation.
Platform: nimiq-primitives
Version: <=0.2.0
Vulnerability: BlockInclusionProof logic flaw
Severity: Moderate
Date: 2026-05-15

Prediction: 2026-05-21

What Undercode Say:

Simulate the vulnerable `is_block_proven` check

function is_block_proven() {

local hops=$(get_interlink_hops “$1”)

if [ -z “$hops” ]; then

echo “true” ERROR: Returns true without verification

return 0

fi

… cryptographic verification code …

}

Example of forged macro block being accepted

forge_macro_block() {

local target_block=”election_block_at_epoch_boundary”

if is_block_proven “$target_block”; then

echo “Attack: Forged block accepted as proven!”

Submit the forged block to the network

fi

}

Code snippet showing the flawed logic in Rust

// Vulnerable code in nimiq-primitives

pub fn is_block_proven(&self) -> bool {

let hops = self.get_interlink_hops();

if hops.is_empty() {

return true; // <– No crypto verification performed here
}

// … perform cryptographic verification …

}

Exploit:

An attacker crafts a malicious MacroBlock header and submits it along with a transaction inclusion proof targeting an epoch boundary. The node calls get_interlink_hops, receives an empty vector, and the flaw causes `is_block_proven` to return true. The node then accepts the forged block as valid.

Protection from this CVE:

Upgrade to core-rs-albatross version 1.4.0 or later.

Impact:

An attacker can bypass cryptographic verification and forge MacroBlock headers, potentially leading to chain splits, double-spends, and a complete breakdown of the blockchain’s security model.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top