Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Low findings>Incorrect negative checks
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)Inability to restore confirmed checkpoints to sealed stateLack of commission-rate change restrictions in EditFinalityProviderHide slashing targets from vigilante by spammingPublic randomness reset due to block-height overflowIncorrect negative checksUnsafe swagger Content Security PolicyMultiple issues when inputting password for the BLS keystore
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

Incorrect negative checks

Low Severity
Low Impact
Low Likelihood

Description

In btc-staking-ts, there are multiple functions that claim to validate whether values are negative but do so incorrectly.

For example, in the StakingScripts class:

// check that maximum value for staking time is not greater than uint16 and above 0
if (this.stakingTimeLock == 0 || this.stakingTimeLock > 65535) {
    return false;
}

// check that maximum value for unbonding time is not greater than uint16 and above 0
if (this.unbondingTimeLock == 0 || this.unbondingTimeLock > 65535) {
    return false;
}

In addition, the ObservableStaking class does not validate whether the btcActivationHeight field is a negative number.

Impact

A user or dApp would not be prevented from accidentally supplying a negative number for these fields, which could lead to unintended behavior.

In the case of StakingScripts, this value would be compiled into the Bitcoin script and passed to the OP_CHECKSEQUENCEVERIFY opcode, which could lead to errors upon execution.

Recommendations

Fix the checks to prevent negative values.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 924d3d12.

Zellic © 2025Back to top ↑