Category: Coding Mistakes
Incorrect negative checks
Low Severity
Low Impact
Low Likelihood
Description
In btc-staking-ts, there are multiple functions that claim to validate whether values are negative but do so incorrectly.
For example, in the StakingScripts
class:
// check that maximum value for staking time is not greater than uint16 and above 0
if (this.stakingTimeLock == 0 || this.stakingTimeLock > 65535) {
return false;
}
// check that maximum value for unbonding time is not greater than uint16 and above 0
if (this.unbondingTimeLock == 0 || this.unbondingTimeLock > 65535) {
return false;
}
In addition, the ObservableStaking
class does not validate whether the btcActivationHeight
field is a negative number.
Impact
A user or dApp would not be prevented from accidentally supplying a negative number for these fields, which could lead to unintended behavior.
In the case of StakingScripts
, this value would be compiled into the Bitcoin script and passed to the OP_CHECKSEQUENCEVERIFY
opcode, which could lead to errors upon execution.
Recommendations
Fix the checks to prevent negative values.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 924d3d12↗.