Babylon Labs
Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.
Triaged by Immunefi
PoC Required
KYC required
Arbitration enabled
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
For the Unbonding Pipeline Process, the following code components and branches are in-scope:
Everything here https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/, except the following test commands:
- createStakingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createStakingTxCmd.go
- createUnbondingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createUnbondingTxCmd.go
- createWithdrawTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createWithdrawTxCmg.go
Direct loss of funds
Permanent freezing of funds
Execute arbitrary system commands
Retrieve the private key of a covenant committee member
Leakage of EOTS private keys without the holder double-signing
Chain halt for 24h
Permanently halting the Bitcoin Staking finalization of new blocks without ability to recover.
Retrieve sensitive data/files from a running server, such as: /etc/shadow database passwords blockchain keys This does not include non-sensitive environment variables, open source code, or usernames etc with no operational impact.
Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Making trades
Subdomain takeover with already-connected wallet interaction
Direct theft of user funds or causing their freezing
Malicious interactions with an already-connected wallet without user interaction, such as: Modifying transaction arguments or parameters Submitting malicious transactions
Out of scope
Additional Blockchain/DLT Specific:
- Impacts involving centralization risks
- Impacts involving Bitcoin not being live or safe.
- Impacts involving the Babylon validator set not being live or safe.
- Impacts involving the temporary downtime of relayers between Babylon and Bitcoin.
- Impacts involving the submission of a large number of transactions to the Bitcoin ledger and their delayed inclusion.
- Impacts involving >=⅓ malicious finality voting power.
- Impacts involving >= ⅓ malicious CometBFT voting power.
- Impacts involving a quorum of the covenant committee being malicious.
- Impacts preventing a quorum of the covenant committee to be reached due to a full quorum not being live.
- Impacts involving the confirmation depth and finalization timeout parameters being set to an improperly low value.
- Impacts involving a user’s staking transaction being included in a Bitcoin block in which different Bitcoin staking parameters than the ones the user used apply.
Prohibited Activities:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles, third-party smart contracts or cloud services
- Attempting phishing or other social engineering attacks against our employees, and/or customers, service providers and community members
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Blockchain/DLT specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers