Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Discussion>Dependency management and vulnerability assessment
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test

Dependency management and vulnerability assessment

During the audit, we thoroughly evaluated all external dependencies integrated into the product to ensure their security and up-to-date status, with a key focus on the Cosmos SDK utilized within the Babylon chain.

We identified that the Babylon chain is using Cosmos SDK version 0.50.9, as verified by the target audit commit hash found in the go.mod file.

However, version 0.50.9 of Cosmos SDK has a documented security vulnerability GHSA-8wcc-m6j2-qxvm, which poses potential risks to the integrity and security of the blockchain network.

At the start of the audit, the Babylon team was aware of this fact and was in the process of modifying some code to ensure compatibility with the latest version of the Cosmos SDK. By the end of the audit, the upgrade to version v0.50.12 had been completed.

Zellic © 2025Back to top ↑