Nimiq Blockchain History Sync Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Nimiq blockchain's Rust implementation, specifically in versions through 1.2.2. The issue arises in the 'HistoryStore::put_historic_txns' function, where an 'assert!' is used to validate 'HistoricTransaction.block_number' against certain invariants. During the history synchronization process, a peer can manipulate the 'history' input passed to 'Blockchain::push_history_sync'. If the history list is malformed, it can violate the invariants and cause a panic. This vulnerability allows a malicious peer to crash a syncing node by sending 'HistoricTransaction' objects with invalid block numbers that disrupt the expected epoch and batch rules.

Impact

Exploitation of this vulnerability causes a panic, crashing the node that is syncing.

Reproduction

The vulnerability can be reproduced by syncing a Nimiq node with a peer that sends corrupted history data. This can be done by introducing 'HistoricTransaction' objects with 'block_number' values that violate the expected invariants, such as spanning multiple batches or epochs. The 'Blockchain::push_history_sync' function will then panic due to the inconsistency, before it has a chance to reject the invalid data.

Remediation

Users can upgrade to Nimiq Blockchain version 1.3.0 or later, where this vulnerability has been fixed.