Assessment reports>Babylon Genesis Chain>Informational findings>ERC-2335 checksum does not use an HMAC
Category: Business Logic

ERC-2335 checksum does not use an HMAC

Informational Severity
Informational Impact
N/A Likelihood

Description

The ERC-2335 container format used for storing BLS keys uses counter-mode AES (aes-128-ctr), an unauthenticated mode of encryption, with a checksum of SHA256(key || ciphertext). This checksum is not a proper message authentication code (for comparison, ).

Impact

Since ERC-2335 stores data of arbitrary length, an attacker that can read and write the container could use a length extension attack on SHA-256 to append data to the ciphertext and recalculate the checksum such that it still successfully decrypts. If they get multiple opportunities to modify the container, they can also flip bits in the appended data to flip bits in the extra plaintext value, even if they cannot observe the decrypted value directly. This does not lead to a practical attack on the current use, since the contained value is a BLS12-381 scalar, which is checked to be 32 bytes by blst during signing.

Recommendations

Enforce that the length of plaintext is as expected immediately after decryption instead of only during signing.

If using ERC-2335 for variable-length data, either prefix the plaintext with its length and check it after decryption, or ideally extend ERC-2335 to support HMAC-SHA256 as a checksum algorithm.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 432b560e.

Zellic © 2025Back to top ↑