Listen to this Post
The vulnerability resides in the `BlockInclusionProof::is_block_proven` function. Under normal operation, this function performs a cryptographic verification of a block’s inclusion using the blockchain’s interlink structure. The `get_interlink_hops` function is called to gather the necessary hops for this proof. However, a logic flaw occurs when the target block is positioned exactly at the election block that immediately precedes the election head’s epoch. In this specific scenario, `get_interlink_hops` returns an empty hop list. The `is_block_proven` function, due to this flaw, interprets the empty list as a successful verification and returns `true` without performing any hash or signature checks. An attacker can exploit this by submitting forged transaction inclusion proofs, including a fabricated MacroBlock header for that epoch. The network, relying on is_block_proven, would accept this forged header as cryptographically valid, effectively bypassing the entire proof-of-inclusion security mechanism. This issue is rooted in the improper handling of edge cases in the interlink hop calculation.
Platform: nimiq-primitives
Version: <=0.2.0
Vulnerability: BlockInclusionProof logic flaw
Severity: Moderate
Date: 2026-05-15
Prediction: 2026-05-21
What Undercode Say:
Simulate the vulnerable `is_block_proven` check
function is_block_proven() {
local hops=$(get_interlink_hops “$1”)
if [ -z “$hops” ]; then
echo “true” ERROR: Returns true without verification
return 0
fi
… cryptographic verification code …
}
Example of forged macro block being accepted
forge_macro_block() {
local target_block=”election_block_at_epoch_boundary”
if is_block_proven “$target_block”; then
echo “Attack: Forged block accepted as proven!”
Submit the forged block to the network
fi
}
Code snippet showing the flawed logic in Rust
// Vulnerable code in nimiq-primitives
pub fn is_block_proven(&self) -> bool {
let hops = self.get_interlink_hops();
if hops.is_empty() {
return true; // <– No crypto verification performed here
}
// … perform cryptographic verification …
}
Exploit:
An attacker crafts a malicious MacroBlock header and submits it along with a transaction inclusion proof targeting an epoch boundary. The node calls get_interlink_hops, receives an empty vector, and the flaw causes `is_block_proven` to return true. The node then accepts the forged block as valid.
Protection from this CVE:
Upgrade to core-rs-albatross version 1.4.0 or later.
Impact:
An attacker can bypass cryptographic verification and forge MacroBlock headers, potentially leading to chain splits, double-spends, and a complete breakdown of the blockchain’s security model.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

