Nimiq Block Quorum Bypass Vulnerability in Skip Block Proof Verification

A vulnerability exists in the Nimiq Block Rust implementation, specifically in versions through 1.2.2. The issue arises in the `SkipBlockProof::verify` method, which improperly handles signer indices. The method uses a `BitSet` to determine quorum by checking the length of the set and then iterating through the indices. However, indices that are out of range can be crafted to inflate the apparent number of signers while collapsing into valid slots during aggregation. This manipulation allows a validator with significantly fewer than the required signer slots to falsely pass the quorum check by multiplying a single BLS signature. The vulnerability can be exploited if an attacker can get a `SkipBlockProof` verified with strategically placed out-of-range indices in the `MultiSignature.signers` set.

Impact

Exploitation of this vulnerability allows a validator to bypass the quorum requirement in skip block proof verification, potentially leading to incorrect validation outcomes in the blockchain consensus process.

Remediation

Users can upgrade to Nimiq Block version 1.3.0 or later, where this vulnerability has been patched.