GHSA-869w-47c6-fq8q – github.com/babylonlabs-io/babylon

Package

Manager: go
Name: github.com/babylonlabs-io/babylon
Vulnerable Version: >=0 <1.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Babylon Integer Overflow in Distribution Module CumulativeRewardRatio Calculation Leading to Chain Halt ### Summary Minting large amount of tokens through ibc transfer and then depositing them in validator rewards pool (via `DepositValidatorRewardsPool` message) can lead to integer overflow panic when calculating `cumulative_reward_ratio` for the validator. This calculation happens in `x/epoching` module `EndBlocker`, thus the panic will halt the chain. ### Impact Denial of Service - Due to panic in the `EndBlocker` Babylon Genesis will halt

Metadata

Created: 2025-05-15T14:05:50Z
Modified: 2025-05-22T14:57:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-869w-47c6-fq8q/GHSA-869w-47c6-fq8q.json
CWE IDs: ["CWE-190", "CWE-770"]
Alternative ID: N/A
Finding: F067
Auto approve: 1