Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Chain>Informational findings>Incorrect unbonding-time check in ,covenant-emulator
GeneralOverview
Findings
Critical (4)
Medium (1)
Low (4)
Informational (4)Use alternative libPotential issues with the MinUnbondingTime parameterMisparsed OP_PUSHDATA{2,4} in ExtractOpReturnDataIncorrect unbonding-time check in covenant-emulator
DiscussionOverflowed transaction promotionMitigating potential attacks through maximum staking valueImproving front-end security
Threat ModelTransaction generation and signingBabylon modules
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect unbonding-time check in covenant-emulator

Informational Severity
Informational Impact
N/A Likelihood

Description

When a delegation is created on Babylon through the MsgCreateBTCDelegation message, the delegation transaction that is specified by the user must have an unbonding time that is higher than max(MinUnbondingTime, CheckpointFinalizationTimeout). This can be seen in the MinUnbondingTime() function in the btcstaking module:

// MinimumUnbondingTime returns the minimum unbonding time. It is the bigger value from:
// - MinUnbondingTime
// - CheckpointFinalizationTimeout
func MinimumUnbondingTime(
	stakingParams Params,
	checkpointingParams btcctypes.Params) uint64 {
	return math.Max[uint64](
		uint64(stakingParams.MinUnbondingTime),
		checkpointingParams.CheckpointFinalizationTimeout,
	)
}

However, when the covenant-emulator component checks an unbonding transaction's unbonding time (prior to providing covenant signatures), the check is done incorrectly as shown below (note that the comment states the correct intention):

// 3. check unbonding time (staking time from unbonding tx) is larger than min unbonding time
// which is larger value from:
// - MinUnbondingTime
// - CheckpointFinalizationTimeout
unbondingTime := btcDel.UnbondingTime
minUnbondingTime := params.MinUnbondingTime
if unbondingTime <= minUnbondingTime {
    ce.logger.Error("invalid unbonding time",
        zap.Uint32("min_unbonding_time", minUnbondingTime),
        zap.Uint32("got_unbonding_time", unbondingTime),
    )
    continue
}

Impact

In the event that the CheckpointFinalizationTimeout is higher than MinUnbondingTime, an unbonding transaction with an unbonding time that is between MinUnbondingTime and CheckpointFinalizationTimeout would erroneously pass this check. However, this cannot actually happen because such a delegation could never be created in the first place, as the check is correctly done on Babylon in the MsgCreateBTCDelegation message handler.

Therefore, we conclude that this issue is informational in severity and impact.

Recommendations

Use the covenant-emulator's StakingParams.MinimumUnbondingTime() function to fetch the minimum unbonding time, as that returns the correct value.

Remediation

This issue has been acknowledged by Babylon, and a fix was implemented in commit 1b58842d.

Zellic © 2025Back to top ↑