Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Critical findings>Arbitrary Deduction of Total Bond Satoshi from Unbonding Delegation Handling
GeneralOverview
Findings
Critical (10)Nonce reuse in adaptor signatures allows recovering signing keyCosmWasm Stargate/Any messages bypass AnteHandler checksIncorrect parity check in adaptor signaturesPanic triggered by incorrect logic in finality module’s EndBlockSlashed finality provider retaining voting powerSlashed finality provider restoring voting power through pending delegationsArbitrary Deduction of Total Bond Satoshi from Unbonding Delegation HandlingThe btclightclient module design flaw after Babylon chain haltArbitrary Deduction of Total Bond Satoshi from Expiring Delegation HandlingIncorrect Delegation Status Check Leading to Chain Halt
High (4)
Medium (4)
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

Arbitrary Deduction of Total Bond Satoshi from Unbonding Delegation Handling

Critical Severity
Critical Impact
High Likelihood

Description

The MsgBTCUndelegate message handler, which supports early unbonding for delegations, allows unbonding even when the delegation is in the BTCDelegationStatus_PENDING status rather than BTCDelegationStatus_ACTIVED. (Reference)

When the scheduled block for BTCDelegationStatus_UNBONDED arrives, the following code is executed:

  1. processPowerDistUpdateEventUnbond

  2. MustProcessBtcDelegationUnbonded

  3. subDelegationSat

Since BTCDelegationStatus_ACTIVED was never emitted, no Delegated Satoshi was added for the affected FP. However, the BTCDelegationStatus_UNBONDED event still causes the Delegated Satoshi to be deducted.

Impact

If the quorum is not met in time, the BTCDelegationStatus_ACTIVED event is never emitted, yet the BTCDelegationStatus_UNBONDED event still triggers a deduction of Delegated Satoshi for the affected Finality Provider. This could result in an arbitrary and unfair reduction of a specific FP’s Delegated Satoshi, even though no delegation was ever successfully activated.

This issue is similar to issue 3.10, but it occurs in a different part of the code and is more likely to happen.

Recommendations

Modify the expiration event handling logic to ensure that BTCDelegationStatus_UNBONDED does not trigger a deduction if BTCDelegationStatus_ACTIVED was never emitted.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit a8d24315.

This was remediated by the above recommendation.

Zellic © 2025Back to top ↑