CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34064 nimiq-account: Vesting insufficient funds error can panic

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34064 nimiq-account: Vesting insufficient funds error can panic

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34064

The CVE-2026-34064 issue affects Nimiq-account’s VestingContract in the Rust implementation. Before v1.3.0, VestingContract::can_change_balance can produce AccountError::InsufficientFunds and builds the error with balance = self.balance - min_cap; if min_cap > balance, Coin::sub underflows and...

PT-2026-34545

Impact VestingContract::can change balance returns AccountError::InsufficientFunds when new balance balance, the node crashes while trying to return an error. The min cap balance precondition is attacker-reachable because the vesting contract creation data 32-byte format allows encoding total...

CVE-2026-28410

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in...

EUVD-2026-9871

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in...

User will lose rewards

Lines of code Vulnerability details Impact User will lose there rewards even when vesting period has completed. Also the reward will get stuck in the contract with no one able to retrieve them Proof of Concept 1. Admin creates a new claim using createClaim function function createClaim address...

Remove the withdrawOtherToken function (phishing)

Lines of code Vulnerability details Impact This function can be only called by admins. Remove the withdrawOtherToken function to prevent you from phishing attacks. Proof 1. Attacker will send the fake tokens to your contract address. 2. Now there are 100% chances, admin of vesting contract will b...

The name of the function to setup a vesting in the interface IVesting.sol doesn’t match with the name of the function to setup a vesting in StakeCitadelVester.sol.

Lines of code Vulnerability details Impact Users will not be able to withdraw their funds . Proof of Concept When a user wants to withdraw his tokens from StakedCitadel.sol, vesting is supposed to be set and tokens are sent to the vesting contract where they are vested linearly for 21 days. This ...

Incorrect interface for StakedCitadelVester causes withdrawals to revert

Lines of code Vulnerability details The IVesting interface contains a setupVesting function: IVesting4 interface IVesting function setupVesting address recipient, uint256 amount, uint256 unlockBegin external; This function is called to send withdrawals to the vesting contract in...

Anyone can DDOS vesting contract

Handle pauliax Vulnerability details Impact Vest function can be accessed by anyone. It accepts arbitrary beneficiary and pushes new vesting to the array of this beneficiary timelocks. As a malicious actor I can block any user by just invoking vest function with a tiny amount of vest token. The...

Contract BasicSale is missing an approve(address(vestLock), 2**256-1) call

Handle Reigada Vulnerability details Impact As we can see in the contracts AirdropDistribution and InvestorDistribution, they both have the following approve call: mainToken.approveaddressvestLock, 2256-1; This is necessary because both contracts transfer tokens to the vesting contract by calling...