Nimiq Core Rust Albatross Off-By-One Vulnerability in Proposal Signer Bounds Check Leading to Validator Crash

A vulnerability exists in the Nimiq Core Rust Albatross implementation of the Proof-of-Stake protocol, prior to version 1.3.0. An untrusted peer can cause a validator to crash by sending a signed Tendermint proposal message with the signer index equal to the number of validators. The ProposalSender's bounds check incorrectly uses 'greater than' instead of 'greater than or equal to', allowing the out-of-bounds index to be accessed before signature verification, which leads to a panic. This issue has been addressed in version 1.3.0.

Impact

Exploitation of this vulnerability causes a panic in the validator, disrupting its operation. The out-of-bounds access occurs before any signature verification, potentially allowing for the introduction of invalid proposals that could be processed incorrectly.

Reproduction

To reproduce this vulnerability, send a signed Tendermint proposal message from an untrusted peer with the signer index set to the total number of validators. The ProposalSender will accept the proposal without proper validation, leading to a panic when the out-of-bounds index is accessed.

Remediation

Users can upgrade to Nimiq Core Rust Albatross version 1.3.0 or later, where this vulnerability has been fixed.