GHSA-869w-47c6-fq8q: Babylon Integer Overflow in Distribution Module CumulativeRewardRatio Calculation Leading to Chain Halt

May 15, 2025 (updated May 22, 2025)

Minting large amount of tokens through ibc transfer and then depositing them in validator rewards pool (via DepositValidatorRewardsPool message) can lead to integer overflow panic when calculating cumulative_reward_ratio for the validator.

This calculation happens in x/epoching module EndBlocker, thus the panic will halt the chain.

References

github.com/advisories/GHSA-869w-47c6-fq8q
github.com/babylonlabs-io/babylon
github.com/babylonlabs-io/babylon/commit/f0a29d60f206268b56992fa50f38a48077eb4f59
github.com/babylonlabs-io/babylon/security/advisories/GHSA-869w-47c6-fq8q
pkg.go.dev/vuln/GO-2025-3687

Code Behaviors & Features

Detect and mitigate GHSA-869w-47c6-fq8q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →