Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Chain>Informational findings>Potential issues with the MinUnbondingTime parameter
GeneralOverview
Findings
Critical (4)
Medium (1)
Low (4)
Informational (4)Use alternative libPotential issues with the MinUnbondingTime parameterMisparsed OP_PUSHDATA{2,4} in ExtractOpReturnDataIncorrect unbonding-time check in covenant-emulator
DiscussionOverflowed transaction promotionMitigating potential attacks through maximum staking valueImproving front-end security
Threat ModelTransaction generation and signingBabylon modules
Audit ResultsAssessment Results
Category: Coding Mistakes

Potential issues with the MinUnbondingTime parameter

Informational Severity
Informational Impact
N/A Likelihood

Description

The Babylon chain has a MinUnbondingTime parameter, which specifies the minimum unbonding time that valid unbonding transactions must use in their time-lock script.

The staking indexer component tracks unbonding transactions by comparing the unbonding time in the time-lock script to an UnbondingTime parameter. Note that this UnbondingTime parameter is different to the MinUnbondingTime parameter in Babylon.

The issue is that the staking indexer performs an equality check (i.e., the unbonding time in the transaction must be equal to the UnbondingTime parameter in the indexer). Babylon, however, performs a greater-than-or-equal-to check (i.e., the unbonding time must be greater than or equal to MinUnbondingTime).

Impact

This leads to an issue where a user might create an unbonding transaction with the unbonding time set to a value greater than MinUnbondingTime but also not equal to the indexer's UnbondingTime. This would prevent the indexer from ever picking up the transaction, which means the covenant would never become aware of this transaction.

The impact from this is that the user would end up losing the gas fee that they paid for the unbonding transaction and subsequently would need to recreate it with the correct unbonding time.

Recommendations

Our initial recommendation for a fix was to modify the checks in Babylon such that the unbonding time in the transaction would have to match an exactly set parameter.

However, a finality provider can abuse this. The way finality providers can provide trust to users is by having one big self-delegation to themselves. This tells the users that the finality provider will not be malicious because they have the most to lose if they get slashed.

Now, if everyone has the same unbonding time, then the finality provider can unbond before any of the delegators. Once the unbonding transaction has gone through the time-lock period, the finality provider can withdraw and subsequently selectively slash any delegator they want without consequence. This means that there must be some leeway to set the unbonding time.

Our current recommendation is for the checks in the staking indexer (and other components) be modified to be greater-than-or-equal-to checks, similar to how it is in Babylon.

Remediation

Babylon has informed us that they will leave the unbonding time checks as they are for now, since the Babylon chain has not been implemented yet. They plan to revisit and address this issue later on.

Zellic © 2025Back to top ↑