Nimiq Core Rust Albatross History Index Request Handler Panic Vulnerability

A vulnerability exists in the Nimiq Core Rust Albatross implementation of the Proof-of-Stake protocol, prior to version 1.3.0. Two peer-facing consensus request handlers incorrectly assume that the history index is always available, leading to a panic when the index is not enabled. This issue can be exploited by a remote peer sending specific request types, causing the node to panic and disrupt service.

Impact

Exploitation of this vulnerability causes a panic in the affected request handlers, disrupting normal operation and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by running a full node with the history index disabled. When the node is in this state, a remote peer can send requests for transaction proofs or receipts by address. The affected request handlers will attempt to access the history index, encounter the 'WithoutIndex' state, and trigger a panic by unwrapping an empty option.

Remediation

Users can upgrade to Nimiq Core Rust Albatross version 1.3.0 or later, where this vulnerability has been patched.