Assessment reports>Babylon Genesis Chain>High findings>Unauthenticated exposed Prometheus
Category: Coding Mistakes

Unauthenticated exposed Prometheus

High Severity
Medium Impact
Low Likelihood

Description

When a user runs a staker-cli command, the command-line interface (CLI) program communicates with the stakerd daemon via JSON-RPC on port 15812.

Just as in Finding ref, an attacker could create a website that communicates with the internal JSON-RPC server when visited, even though it is only listening on localhost.

Impact

An attacker's website could send a request to the internal JSON-RPC server, running commands like bonding and unbonding as if it were the staker-cli program.

This could lead to a loss of user funds.

In addition, an attacker could use DNS rebinding to read the response from the JSON-RPC server, which could help facilitate these attacks.

Recommendations

Implement authentication to ensure that only requests coming from staker-cli are handled. Alternatively, change the stakerd server implementation to not communicate over HTTP.

Remediation

This issue has been acknowledged by Babylon Labs, which noted that it is the responsibility of the program operator to ensure that the relevant port is sufficiently protected and not accessible to the outside world.

Zellic © 2025Back to top ↑