Assessment reports>Babylon Genesis Chain>High findings>BLS keystore password is stored as plaintext
Category: Coding Mistakes

BLS keystore password is stored as plaintext

High Severity
Medium Impact
Low Likelihood

Description

The ERC-2335 BLS keystore implementation in Babylon stores the keystore password in plaintext in a file on the machine running the validator node.

// Save saves the bls12381 key to the file.
// The file stores an erc2335 structure containing the encrypted bls private key.
func (k *BlsKey) Save(password string) {
	// [ ... ]

	// write generated erc2335 keystore to file
	if err := tempfile.WriteFileAtomic(k.filePath, jsonBytes, 0600); err != nil {
		panic(fmt.Errorf("failed to write BLS key: %w", err))
	}

	// save used password to file
	if err := tempfile.WriteFileAtomic(k.passwordPath, []byte(password), 0600); err != nil {
		panic(fmt.Errorf("failed to write BLS password: %w", err))
	}
}

Impact

Storing passwords in plaintext files is not a standard practice. Ideally, passwords should be stored in a password manager, or a hardware authentication device such as a yubikey should be used for this purpose.

The likelihood of the password and keystore files being leaked / stolen is low, but it is not completely out of the question. Therefore, we've given the finding a high severity with a medium impact.

Recommendations

Don't store the BLS keystore password in a plaintext file. Use a password manager, a hardware authentication device, or another equivalent form of password storage instead.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 7de1a748. A password is now only saved to a file if one is not provided through an environment variable (which can be done through integration with secret management APIs).

Zellic © 2025Back to top ↑