Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>High findings>BLS keystore password is stored as plaintext
GeneralOverview
Findings
Critical (10)
High (4)Variable-time multiplication by nonce in adaptor signatures, EOTSs, ECDSA, and Schnorr signaturesUnauthenticated exposed PrometheusUnauthenticated exposed PrometheusBLS keystore password is stored as plaintext
Medium (4)
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

BLS keystore password is stored as plaintext

High Severity
Medium Impact
Low Likelihood

Description

The ERC-2335 BLS keystore implementation in Babylon stores the keystore password in plaintext in a file on the machine running the validator node.

// Save saves the bls12381 key to the file.
// The file stores an erc2335 structure containing the encrypted bls private key.
func (k *BlsKey) Save(password string) {
	// [ ... ]

	// write generated erc2335 keystore to file
	if err := tempfile.WriteFileAtomic(k.filePath, jsonBytes, 0600); err != nil {
		panic(fmt.Errorf("failed to write BLS key: %w", err))
	}

	// save used password to file
	if err := tempfile.WriteFileAtomic(k.passwordPath, []byte(password), 0600); err != nil {
		panic(fmt.Errorf("failed to write BLS password: %w", err))
	}
}

Impact

Storing passwords in plaintext files is not a standard practice. Ideally, passwords should be stored in a password manager, or a hardware authentication device such as a yubikey should be used for this purpose.

The likelihood of the password and keystore files being leaked / stolen is low, but it is not completely out of the question. Therefore, we've given the finding a high severity with a medium impact.

Recommendations

Don't store the BLS keystore password in a plaintext file. Use a password manager, a hardware authentication device, or another equivalent form of password storage instead.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 7de1a748. A password is now only saved to a file if one is not provided through an environment variable (which can be done through integration with secret management APIs).

Zellic © 2025Back to top ↑