GHSA-4RMQ-MC2C-R495
Vulnerability from github – Published: 2025-12-09 14:25 – Updated: 2025-12-09 14:25
VLAI?
Summary
Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond
Details
Summary
A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis (Phatom Stake) even after they have fully unbonded their BTC delegation, if their Finality Provider (FP) drops out of the active set in the exact same babylon block height. This creates a “phantom stake”: the delegator’s BTC capital is withdrawn, the FP is inactive, but costaking continues to treat the delegation as active BTC stake allowing ongoing rewards accrual without backing BTC.
Impact
An address can keep earning costaking rewards with zero BTC staked.
Reported by @BottyBott.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.0-snapshot.250805a"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T14:25:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA state consistency bug in `x/costaking` can leave a BTC delegator with non-zero `ActiveSatoshis` (Phatom Stake) even after they have fully unbonded their BTC delegation, if their Finality Provider (FP) drops out of the active set in the exact same babylon block height. This creates a \u201cphantom stake\u201d: the delegator\u2019s BTC capital is withdrawn, the FP is inactive, but costaking continues to treat the delegation as active BTC stake allowing ongoing rewards accrual without backing BTC.\n\n### Impact\n\nAn address can keep earning costaking rewards with zero BTC staked.\n\nReported by @BottyBott.",
"id": "GHSA-4rmq-mc2c-r495",
"modified": "2025-12-09T14:25:03Z",
"published": "2025-12-09T14:25:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-4rmq-mc2c-r495"
},
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/commit/e65c3a55a398a403103f1b089cf76f0d4befc7a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/babylonlabs-io/babylon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Babylon Incorrect FP inactive accounting in costaking creates \u201cphantom stake\u201d that earns rewards after BTC unbond"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…