CVE-2026-40093

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

PT-2026-31733

Name of the Vulnerable Software and Affected Versions nimiq-blockchain versions 1.3.0 and earlier Description nimiq-blockchain, used for persistent block storage in Nimiq's Rust implementation, has an issue where block timestamp validation lacks an upper bound check against the wall clock in...

PT-2024-40452 · Softwarex · Softwarex

Name of the Vulnerable Software and Affected Versions: SoftwareX versions prior to 0.33.1 Description: The issue arises when a node receives a block with a timestamp more than 15 seconds ahead of its local time, potentially leading to the block being marked as invalid and the peer being banned. T...

Bidders can bid at previous auction reserve price by frontrunning the setter transactions

Lines of code Vulnerability details Impact The AuctionHouse.settleCurrentAndCreateNewAuction can frontrun the setter functions such as setCreatorRateBps, setMinCreatorRateBps, setEntropyRateBps, setTimeBuffer, setMinBidIncrementPercentage & setReservePrice. As soon as the current auction ends, an...

Using block.timestamp as the deadline/expiry invites MEV

Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...

Missing deadline param in swapExactAmountOut() allowing outdated slippage and allow pending transaction to be executed unexpectedly.

Lines of code Vulnerability details Impact Loss of funds/tokens for the protocol, since block execution is delegated to the block validator without a hard deadline. Proof of Concept The function swapExactAmountOut from LiquidationRouter.sol and LiquidationPair.sol use these methods to swap tokens...

Proposal remains open to votes for only 3 blocks instead of 7 days

Lines of code Vulnerability details Impact LybraGovernance contract only allows to vote during the first 3 blocks after the snapshot is taken. Assuming it takes roughly 12 seconds per 1 block on Ethereum, it is only 36 seconds to decide and vote for a proposal. This would be too fast for a regula...

CommunityIssuance.sol – Stability pool can manipulate time stamps with the fund function to issue more oath than appropriate.

Lines of code Vulnerability details If lastDistributionTime is set to a date in the future, it would allow the issueOath function to continue to mint tokens even after it should have stopped. This is because the if statement in issueOath checks whether the current time is greater than...

Weak PRNG

Lines of code Vulnerability details Impact Weak PRNG due to a modulo on block.timestamp, now or blockhash. These can be influenced by miners to some extent so they should be avoided. src/VRFNFTRandomDraw.sol if settings.recoverTimelock block.timestamp + MONTHINSECONDS 12 revert...

NFTs mintable after Auction deadline expires

Lines of code Vulnerability details Impact The buy function on the LPDA.sol contract is not validating if the auction is still running, allowing a purchase to be made after the stipulated time. The endtime variable used to store the end date of the auction is not used at any point to validate...

Upgraded Q -> M from #272 [1668215320788]

Judge has assessed an item in Issue 272 as M risk. The relevant finding follows: Inaccurate comment can be misleading. The following retrievePledgeRewards function is for retrieving the non-distributed rewards from an expired pledge, not just a closed pledge. Calling this function for a pledge th...

Pod can (likely) be chosen by miner

Lines of code Vulnerability details Impact The miner can chose pod with high probability. Proof of Concept The random number generation can be easily influenced by the miner by setting block.timestamp to within an acceptable value ranging some 10-15 consecutive values seconds. Since this is hashe...

checkpointing of same state values in increaseUnlockTime()

Lines of code Vulnerability details Impact oldLocked and locked referes to same LockedBalance in increaseUnlockTime while calling checkpoint Proof of Concept // See IVotingEscrow for documentation function increaseUnlockTimeuint256 unlockTime ........ LockedBalance memory locked = lockedmsg.sende...

block.timestamp used as time proxy

Lines of code Vulnerability details block.timestamp used as time proxy Summary: Risk of using block.timestamp for time should be considered. Details: block.timestamp is not an ideal proxy for time because of issues with synchronization, miner manipulation and changing block times. This can be...

Weak PRNG (Pseudorandom number generator)

Lines of code Vulnerability details Impact Weak PRNG due to a modulo on block.timestamp, now or blockhash. These can be influenced by miners to some extent so they should be avoided. Proof of Concept Tools Used Slither Recommended Mitigation Steps Do not use block.timestamp, now or blockhash as a...

getRemainingRewards() Malfunction for unstarted promotions

Handle WatchPug Vulnerability details For unstarted promotions, cancelPromotion will revert at block.timestamp - promotion.startTimestamp in getCurrentEpochId. Call stack: getRemainingRewards - getRemainingRewards - getCurrentEpochId. function getCurrentEpochIdPromotion memory promotion internal...

Pool._addPoolMetrics(uint256) is subject to potential miner manipulation

Handle heiho1 Vulnerability details Impact Pool.addPoolMetricsuint256 on line 334 relies on block.timestamp and is potentially vulnerable to miner manipulation. This could lead to erroneous pool metrics. Proof of Concept Tools Used Slither Recommended Mitigation Steps An external time oracle like...