Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>High findings>Unauthenticated exposed Prometheus
GeneralOverview
Findings
Critical (10)
High (4)Variable-time multiplication by nonce in adaptor signatures, EOTSs, ECDSA, and Schnorr signaturesUnauthenticated exposed PrometheusUnauthenticated exposed PrometheusBLS keystore password is stored as plaintext
Medium (4)
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

Unauthenticated exposed Prometheus

High Severity
Medium Impact
Low Likelihood

Description

When a user runs a staker-cli command, the command-line interface (CLI) program communicates with the stakerd daemon via JSON-RPC on port 15812.

Just as in Finding ref, an attacker could create a website that communicates with the internal JSON-RPC server when visited, even though it is only listening on localhost.

Impact

An attacker's website could send a request to the internal JSON-RPC server, running commands like bonding and unbonding as if it were the staker-cli program.

This could lead to a loss of user funds.

In addition, an attacker could use DNS rebinding to read the response from the JSON-RPC server, which could help facilitate these attacks.

Recommendations

Implement authentication to ensure that only requests coming from staker-cli are handled. Alternatively, change the stakerd server implementation to not communicate over HTTP.

Remediation

This issue has been acknowledged by Babylon Labs, which noted that it is the responsibility of the program operator to ensure that the relevant port is sufficiently protected and not accessible to the outside world.

Zellic © 2025Back to top ↑