CVE-2026-40093
Timestamp Manipulation in Nimiq Blockchain Causes Monetary Inflation
Publication date: 2026-04-09
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nimiq | nimiq_proof-of-stake | to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the nimiq-blockchain's Rust implementation, specifically in versions 1.3.0 and earlier. It concerns the validation of block timestamps. While the system enforces that a block's timestamp must be greater than or equal to its parent's timestamp for non-skip blocks and exactly equal to the parent's timestamp plus a minimum timeout for skip blocks, it does not enforce an upper bound against the actual current time (wall clock).
This means a malicious block-producing validator can set block timestamps arbitrarily far into the future. This manipulation affects reward calculations, causing the monetary supply to inflate beyond the intended emission schedule.
How can this vulnerability impact me? :
This vulnerability can lead to an inflation of the monetary supply in the Nimiq blockchain beyond what was intended by its emission schedule. A malicious validator can exploit the lack of an upper bound on block timestamps to artificially increase rewards.
As a result, the economic integrity of the blockchain can be compromised, potentially devaluing the currency and undermining trust in the system.