Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Medium findings>Proposal vote extensions' byte limit
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)Griefing vector through fork handling in btclightclientFloating values result in nondeterminismThe test keyring backend is usedProposal vote extensions' byte limit
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

Proposal vote extensions' byte limit

Medium Severity
Medium Impact
Low Likelihood

Description

When adding vote extensions to the proposal, there are no checks ensuring that the added vote extensions do not push the proposal over the maximum proposal size allowed (the default is 10,000).

func (h *ProposalHandler) PrepareProposal() sdk.PrepareProposalHandler {
    return func(ctx sdk.Context, req *abci.RequestPrepareProposal) (*abci.ResponsePrepareProposal, error) {
        // 3. inject a "fake" tx into the proposal s.t. validators can decode, verify the checkpoint
        injectedCkpt := &ckpttypes.MsgInjectedCheckpoint{
            Ckpt:               ckpt,
            ExtendedCommitInfo: &req.LocalLastCommit,
        }
        injectedVoteExtTx, err := h.buildInjectedTxBytes(injectedCkpt)
        if err != nil {
            return nil, fmt.Errorf("failed to encode vote extensions into a special tx: %w", err)
        }
        proposalTxs = slices.Insert(proposalTxs, defaultInjectedTxIndex, [][]byte{injectedVoteExtTx}...)

        return &abci.ResponsePrepareProposal{
            Txs: proposalTxs,
        }, nil
    }
}

Impact

A proposer might have their proposal rejected and be slashed.

Recommendations

Adjust the logic to account for the extra bytes of the vote extensions.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit aa827f87.

This was remediated by the above recommendation.

Zellic © 2025Back to top ↑