Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Informational findings>ERC-2335 checksum does not use an HMAC
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)
Informational (7)Small nonce bias in EOTS generationECDSA signature verification does not enforce that s is less than half the group orderInconsistent integer types for block heightREDOS in search filterUnsafe random functionERC-2335 checksum does not use an HMACDelayed voting-power updates for slashed validators
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Business Logic

ERC-2335 checksum does not use an HMAC

Informational Severity
Informational Impact
N/A Likelihood

Description

The ERC-2335 container format used for storing BLS keys uses counter-mode AES (aes-128-ctr), an unauthenticated mode of encryption, with a checksum of SHA256(key || ciphertext). This checksum is not a proper message authentication code (for comparison, ).

Impact

Since ERC-2335 stores data of arbitrary length, an attacker that can read and write the container could use a length extension attack on SHA-256 to append data to the ciphertext and recalculate the checksum such that it still successfully decrypts. If they get multiple opportunities to modify the container, they can also flip bits in the appended data to flip bits in the extra plaintext value, even if they cannot observe the decrypted value directly. This does not lead to a practical attack on the current use, since the contained value is a BLS12-381 scalar, which is checked to be 32 bytes by blst during signing.

Recommendations

Enforce that the length of plaintext is as expected immediately after decryption instead of only during signing.

If using ERC-2335 for variable-length data, either prefix the plaintext with its length and check it after decryption, or ideally extend ERC-2335 to support HMAC-SHA256 as a checksum algorithm.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 432b560e.

Zellic © 2025Back to top ↑