GHSA-4rmq-mc2c-r495: Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond

December 9, 2025

A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis (Phatom Stake) even after they have fully unbonded their BTC delegation, if their Finality Provider (FP) drops out of the active set in the exact same babylon block height. This creates a “phantom stake”: the delegator’s BTC capital is withdrawn, the FP is inactive, but costaking continues to treat the delegation as active BTC stake allowing ongoing rewards accrual without backing BTC.

References

github.com/advisories/GHSA-4rmq-mc2c-r495
github.com/babylonlabs-io/babylon
github.com/babylonlabs-io/babylon/commit/e65c3a55a398a403103f1b089cf76f0d4befc7a0
github.com/babylonlabs-io/babylon/security/advisories/GHSA-4rmq-mc2c-r495

Code Behaviors & Features

Detect and mitigate GHSA-4rmq-mc2c-r495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →