Summary
A vulnerability exists in Babylon’s BLS vote extension processing where a malicious active validator can submit a VoteExtension with the block_hash field omitted from the protobuf serialization. Because protobuf fields are optional, unmarshalling succeeds but leaves BlockHash as nil. Babylon then dereferences this nil pointer in consensus-critical code paths (notably VerifyVoteExtension, and also proposal-time vote verification), causing a runtime panic.
Impact
Intermittent validator crashes at epoch boundaries, which would slow down the creation of the epoch boundary block.
Finder
Vulnerability discovered by:
Summary
A vulnerability exists in Babylon’s BLS vote extension processing where a malicious active validator can submit a VoteExtension with the
block_hashfield omitted from the protobuf serialization. Because protobuf fields are optional, unmarshalling succeeds but leavesBlockHashas nil. Babylon then dereferences this nil pointer in consensus-critical code paths (notablyVerifyVoteExtension, and also proposal-time vote verification), causing a runtime panic.Impact
Intermittent validator crashes at epoch boundaries, which would slow down the creation of the epoch boundary block.
Finder
Vulnerability discovered by: