Nimiq Core Rust Albatross Election Macro Block Interlink Verification Bypass Vulnerability

A vulnerability exists in the Nimiq Core Rust Albatross implementation of the Proof-of-Stake protocol, prior to version 1.3.0. It allows an elected validator proposer to submit an election macro block with a header interlink that does not align with the expected canonical interlink. This oversight occurs because the interlink binding for election blocks is not verified during the proposal process, even though other aspects of the block are validated. As a result, the incorrect block is accepted and finalized, but later rejected when the interlink error is discovered during the standard block verification process. This flaw can lead to a situation where validators prematurely vote on a block that is ultimately invalid, causing disruptions after the voting has concluded.

Impact

Exploitation of this vulnerability allows for the acceptance and finalization of election macro blocks with incorrect interlinks, leading to validation errors that disrupt the consensus process.

Reproduction

To reproduce this vulnerability, an elected validator proposer can create and submit an election macro block proposal that includes a header interlink not matching the canonical next interlink. This proposal will be accepted by the blockchain verification process, which fails to check the interlink binding for election blocks. After the block is finalized, the interlink discrepancy will be detected, causing the block to be rejected and creating a validation error. This process can be automated with a script that generates a block with a mismatched interlink and submits it during the proposal phase.

Remediation

Users can upgrade to Nimiq Core Rust Albatross version 1.3.0 or later, where this vulnerability has been patched.