Arbitrary Deduction of Total Bond Satoshi from Expiring Delegation Handling
Description
When a staking transaction is executed on the BTC network, the MsgCreateBTCDelegation
message is processed with a proof, triggering the following code execution: BTC Delegation Code↗.
The
BTCDelegationStatus_EXPIRED
event is scheduled to be emitted in a future block.The
BTCDelegationStatus_ACTIVED
event is not emitted immediately and only activates later when a sufficient number of Covenant Signatures are received.If an insufficient number of
MsgAddCovenantSigs
messages are executed, the quorum is never met, andBTCDelegationStatus_ACTIVED
is never emitted.
When the scheduled block for BTCDelegationStatus_EXPIRED
arrives, the following code is executed:
Since BTCDelegationStatus_ACTIVED
was never emitted, no Delegated Satoshi was added for the affected FP. However, the BTCDelegationStatus_EXPIRED
event still causes the Delegated Satoshi to be deducted.
Impact
In rare cases, an attacker could censor or DDoS covenant members for an extended period, preventing the quorum from being reached. If the quorum is not met in time, the BTCDelegationStatus_ACTIVED
event is never emitted, yet the BTCDelegationStatus_EXPIRED
event still triggers a deduction of Delegated Satoshi for the affected Finality Provider. This could result in an arbitrary and unfair reduction of a specific FP’s Delegated Satoshi, even though no delegation was ever successfully activated.
Recommendations
Modify the expiration event handling logic to ensure that BTCDelegationStatus_EXPIRED
does not trigger a deduction if BTCDelegationStatus_ACTIVED
was never emitted.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 1ebc3727↗.
This was remediated by ensuring that if a specific delegation has not received a quorum of Covenant signatures, the BTCDelegationStatus_EXPIRED
event is not processed when it occurs.