Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Informational findings>Inconsistent integer types for block height
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)
Informational (7)Small nonce bias in EOTS generationECDSA signature verification does not enforce that s is less than half the group orderInconsistent integer types for block heightREDOS in search filterUnsafe random functionERC-2335 checksum does not use an HMACDelayed voting-power updates for slashed validators
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Business Logic

Inconsistent integer types for block height

Informational Severity
Informational Impact
N/A Likelihood

Description

In the msg_server.go file of the finality module, the code compares fp.HighestVotedHeight (a uint32 in the database) with req.BlockHeight (a uint64 from the message):

if fp.HighestVotedHeight < uint32(req.BlockHeight) {
    ...
}

Strictly speaking, this comparison is safe as long as the block height never exceeds the 32-bit integer limit. However, it introduces an inconsistency between the types used in the message (uint64) and the types used for storing the height in the database (uint32). If a network were to run for decades or have extremely rapid block production such that the block height could approach or exceed the uint32 maximum, this mismatch might lead to incorrect comparisons.

Impact

The likelihood of reaching uint32 overflow for the block height is extremely low in typical deployments (e.g., 10-second blocks would still take decades to exhaust the limit). Nonetheless, this is not best practice and could theoretically cause unexpected behavior if ever triggered. It may also lead to confusion in code maintenance due to the inconsistent use of uint32 vs uint64 across modules.

Recommendations

Standardize the block-height type. If the protocol uses uint64 in messages, store the height as uint64 in the database for consistency — or vice versa.

Remediation

This issue has been acknowledged by Babylon Labs, who considers uint32 sufficient for block-height storage. The current design is that the block height is expected to remain well below within the foreseeable operational lifetime (on the order of several decades). They acknowledge this is a minor inconsistency but do not view it as a security risk worth restructuring major parts of the code. The client therefore accepts the minor mismatch and does not plan any changes unless block-frequency assumptions significantly shift.

Zellic © 2025Back to top ↑