{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/timestamp-manipulation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40093"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["blockchain","timestamp-manipulation","inflation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNimiq-blockchain, which provides persistent block storage for Nimiq\u0026rsquo;s Rust implementation, is susceptible to a critical vulnerability. In versions 1.3.0 and earlier, the block timestamp validation lacks an upper bound check against the wall clock. This flaw enables a malicious block-producing validator to set block timestamps to an arbitrarily distant future. The vulnerability directly impacts reward calculations within the blockchain, specifically through \u003ccode\u003ePolicy::supply_at()\u003c/code\u003e and \u003ccode\u003ebatch_delay()\u003c/code\u003e in \u003ccode\u003eblockchain/src/reward.rs\u003c/code\u003e. By manipulating these timestamps, attackers can inflate the monetary supply beyond the intended emission schedule. This poses a significant threat to the integrity and economic stability of the Nimiq blockchain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains control of a block-producing validator node within the Nimiq blockchain network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious block.\u003c/li\u003e\n\u003cli\u003eThe malicious block is created with a timestamp set arbitrarily far into the future.\u003c/li\u003e\n\u003cli\u003eThe vulnerable timestamp validation logic in Nimiq-blockchain (versions 1.3.0 and earlier) fails to detect the out-of-bounds timestamp due to the missing upper bound check.\u003c/li\u003e\n\u003cli\u003eThe malicious block is accepted and added to the blockchain.\u003c/li\u003e\n\u003cli\u003eThe inflated timestamp is used in reward calculations via \u003ccode\u003ePolicy::supply_at()\u003c/code\u003e and \u003ccode\u003ebatch_delay()\u003c/code\u003e functions in \u003ccode\u003eblockchain/src/reward.rs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives an unfairly large block reward due to the manipulated timestamp.\u003c/li\u003e\n\u003cli\u003eThe total monetary supply of Nimiq is inflated beyond the intended emission schedule, devaluing existing holdings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-40093 can lead to a significant inflation of the Nimiq cryptocurrency supply. While the precise number of affected users or specific financial losses is currently unknown, any validator capable of producing blocks could potentially exploit this vulnerability. If successful, this attack undermines the economic model of Nimiq, potentially causing a loss of confidence in the cryptocurrency and a devaluation of existing holdings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003enimiq-blockchain\u003c/code\u003e that includes a proper upper bound check on block timestamps to address CVE-2026-40093.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for sudden and unexpected increases in block rewards, focusing on inconsistencies with the expected emission schedule. This would require detailed knowledge of the blockchain\u0026rsquo;s reward algorithm.\u003c/li\u003e\n\u003cli\u003eReview and harden the block validation logic within the Nimiq-blockchain implementation to prevent similar timestamp manipulation attacks in the future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:11Z","date_published":"2026-04-09T21:16:11Z","id":"/briefs/2026-04-nimiq-timestamp-inflation/","summary":"A vulnerability in nimiq-blockchain versions 1.3.0 and earlier allows malicious validators to manipulate block timestamps, leading to inflation of the monetary supply.","title":"Nimiq Blockchain Timestamp Manipulation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nimiq-timestamp-inflation/"}],"language":"en","title":"CraftedSignal Threat Feed — Timestamp-Manipulation","version":"https://jsonfeed.org/version/1.1"}