Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Design>staking-api-service
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test

staking-api-service

Description

The staking-api-service is an API service that facilitates staking operations. It serves as an interface between users and the staking infrastructure, handling requests, retrieving network data, and managing staking-related transactions.

This module is responsible for

  • providing staking-related API services — including retrieving network status and staking-transaction data

  • database management — interacting with staking-related records in MongoDB

  • handling request processing — including CLI commands and background job execution

  • observability — exposing metrics and health checks for service monitoring

Here are its key functionalities:

  • Network-information retrieval — fetches and provides blockchain network status

  • Database integration — manages staking-data storage and retrieval in MongoDB

  • API endpoint management — handles and validates API requests related to staking

  • Queue processing — processes messages for handling staking-related tasks asynchronously

  • Security and observability — implements logging, metrics, and monitoring tools

Invariants

  • API endpoints should be protected against unauthorized access and abuse.

  • Staking transactions should not be duplicated if reprocessed.

Test coverage

Cases covered

  • Network-information retrieval — ensuring API correctly fetches blockchain network status and validating that retrieved data is structured and accurate

  • Database interaction — ensuring database queries retrieve and store staking data correctly and validating proper indexing and performance optimizations

  • API endpoint handling — ensuring API endpoints correctly process staking-related requests

Cases not covered

  • The system does not have explicit tests for API authentication and role-based authorization.

Attack surface

If API endpoints are not secured, attackers could access sensitive staking data. Proper authentication and authorization should be enforced to prevent unauthorized access. If input validation is insufficient, attackers may attempt SQL/NoSQL injection. All queries should use parameterized statements to mitigate this risk.

Zellic © 2025Back to top ↑