GHSA-rj53-j6jw-7f7g – github.com/babylonlabs-io/babylon/v2

Package

Manager: go
Name: github.com/babylonlabs-io/babylon/v2
Vulnerable Version: >=2.0.0 <2.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: N/A pctlN/A

Details

Babylon vulnerable to chain halt when a message modifies the validator set at the epoch boundary ### Summary Sending a message that modifies the validator set at the epoch boundary halts the chain. ### Impact Denial of Service - Comos-sdk prevents modifying the validator set from two different modules - https://github.com/cosmos/cosmos-sdk/blob/release/v0.50.x/types/module/module.go#L811. Such an operation leads to panic and chain halt. ### Detailed Post mortem https://boiling-lake-106.notion.site/2025-06-18-Genesis-mainnet-chain-halt-post-mortem-229f60cc1b5f80b7adf5e3ea0541ea87

Metadata

Created: 2025-07-08T19:09:11Z
Modified: 2025-07-08T19:09:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rj53-j6jw-7f7g/GHSA-rj53-j6jw-7f7g.json
CWE IDs: ["CWE-754"]
Alternative ID: N/A
Finding: F002
Auto approve: 1