Assessment reports>Babylon Genesis Chain>Medium findings>Proposal vote extensions' byte limit
Category: Coding Mistakes

Proposal vote extensions' byte limit

Medium Severity
Medium Impact
Low Likelihood

Description

When adding vote extensions to the proposal, there are no checks ensuring that the added vote extensions do not push the proposal over the maximum proposal size allowed (the default is 10,000).

func (h *ProposalHandler) PrepareProposal() sdk.PrepareProposalHandler {
    return func(ctx sdk.Context, req *abci.RequestPrepareProposal) (*abci.ResponsePrepareProposal, error) {
        // 3. inject a "fake" tx into the proposal s.t. validators can decode, verify the checkpoint
        injectedCkpt := &ckpttypes.MsgInjectedCheckpoint{
            Ckpt:               ckpt,
            ExtendedCommitInfo: &req.LocalLastCommit,
        }
        injectedVoteExtTx, err := h.buildInjectedTxBytes(injectedCkpt)
        if err != nil {
            return nil, fmt.Errorf("failed to encode vote extensions into a special tx: %w", err)
        }
        proposalTxs = slices.Insert(proposalTxs, defaultInjectedTxIndex, [][]byte{injectedVoteExtTx}...)

        return &abci.ResponsePrepareProposal{
            Txs: proposalTxs,
        }, nil
    }
}

Impact

A proposer might have their proposal rejected and be slashed.

Recommendations

Adjust the logic to account for the extra bytes of the vote extensions.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit aa827f87.

This was remediated by the above recommendation.

Zellic © 2025Back to top ↑