Babylon Labs
Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.
Triaged by Immunefi
PoC required
KYC required
Rewards
Rewards by Threat Level
Reward amount is 10% of the funds directly affected, capped at the maximum critical reward of:
$1,000,000Minimum reward to discourage security researchers from withholding a bug report:
$50,000All other impacts that are classified as Critical will be rewarded a flat amount of:
$10,000The rest of the severity levels are paid out according to the Impact in Scope table.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3.
Reward Calculation for Blockchain/DLT Critical Level Reports
For critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 1 000 000. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.
All other impacts that would be classified as Critical would be rewarded with a minimum of USD 50 000. The rest of the severity levels are paid out according to the Impact in Scope table.
Reward Calculation for Blockchain/DLT High Level Reports
- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.
Reward Calculation for Web/Apps Critical Level Reports
For critical web/apps bug reports will be rewarded with USD 100 000, only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Users funds being permanently stuck involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds
All other impacts that would be classified as Critical would be rewarded with a minimum of USD 10 000.
The rest of the severity levels are paid out according to the Impact in Scope table.
Reward Payment Terms
Payouts are handled by the Babylon Labs team directly and are denominated in USD. However, payments are done in USDC on Ethereum
Program Overview
Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.
This is a brand new significant protocol, and it is at its very early stage. Its success lies in its protection of the Bitcoin stakers. More specifically, as long as:
- a Bitcoin staker manages its secret key properly, and
- the Bitcoin staker or the delegatee of its PoS attestation power (called a finality provider) does not act maliciously, then
no one can steal or slash the staked Bitcoin, and the Bitcoin staker can safely unbond and/or withdraw the stake as per the protocol.
Achieving such protection requires comprehensive security of the Bitcoin staking protocol at both the algorithm and implementation level. To this end, we have open-sourced all our code, and launched, on the 28th May 2024, a public Bitcoin staking testnet that focused on the Bitcoin stakers’ interaction with the Signet Bitcoin chain and the staking web DApp developed by the Babylon team. No PoS chain and staking reward is involved in this testnet.
Based on the successful operation of the testnet and the associated security audits on the code deployed in it, we are now launching a public Bitcoin Staking mainnet. This mainnet contains a staking cap that limits the amount of Bitcoins that enter into the system, with the goal of gradually rolling out the protocol.
For more information about Babylon Labs Ltd. (“Babylon Labs”), please visit https://babylonlabs.io
Babylon Labs provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section.
This bug bounty program will have a hard cap of USD $3,000,000. If multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis until that cap is reached.
KYC Requirement
Babylon Labs will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:
- Full name
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID
Additional or alternate KYC information may be required by Babylon Labs or its KYC services provider. If you are an entity, KYB information will be required. Security researchers will need to provide accurate and complete information in response to each such KYC or KYB request.
Primacy of Impact vs Primacy of Rules
Babylon Labs adheres to the Primacy of Impact for the following impacts:
- Blockchain/DLT - Critical
- Web/App - Critical
Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact
When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi. If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact. All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.
Proof of Concept (PoC) Requirements
A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.
Public Disclosure of Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
- Anything included as an open issue in the GitHub repositories.
- The informational components of the system operate under the assumption that transactions with sufficient confirmations are irreversible. In the event that a re-org happens reversing more blocks than this confirmation delta, the system will have to be restarted and re-index Bitcoin staking transactions. To combat this, the number of required confirmations defined in the global parameters is set to a high value based on historical Bitcoin data relating to re-orgs.
- A staker intentionally setting a very low Bitcoin fee, might find their transaction stuck in the mempool or included in a Bitcoin block where different staking parameters apply.
- Natural stake expiration (i.e. without on-demand unbonding) does not reduce the TVL amount the API service considers active. This design decision was made as the testnet and mainnet environments involve timelocks above a 15 month period (64000 blocks). All stake is expected to transition to the phase-2 PoS security system much earlier than that, so we do not expect naturally expiring stake for the lifespan of the phase-1 API service.
Previous Audits
Babylon Labs’ completed audit reports can be found in the following list. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
- Coinspect Audit: https://docs.babylonlabs.io/assets/files/coinspect-phase1-audit.pdf
- Zellic Audit: https://docs.babylonlabs.io/assets/files/zellic-phase1-audit.pdf
- Cantina Competition: https://docs.babylonlabs.io/assets/files/cantina-phase1-competition.pdf
Immunefi Standard Badge
By adhering to Immunefi’s best practice recommendations, Babylon Labs has satisfied the requirements for the Immunefi Standard Badge.
Additional Terms
As a condition of your participation in Babylon Labs Bug Bounty Programs, including the submission of bug reports, you agree to be bound by the following terms and conditions in addition to any other terms and conditions that govern your participation. If you do not agree to these terms and conditions, you should not submit any bug report.
-
Babylon Labs will determine the severity level and impact for each submission, whether any submission is within scope and eligible for a reward, and the amount of a reward within a stated range, in its reasonable discretion.
-
Babylon Labs is not liable or responsible for any costs, fees, or expenses incurred by you in connection with this Bug Bounty Program. You acknowledge and agree that you shall be solely and exclusively responsible for the payment of any and all taxes, levies, duties, or similar governmental charges (collectively, "Taxes") that may arise in connection with any reward payments made to you. However, Babylon Labs may be required by applicable law to withhold or deduct any Taxes from payments.
-
Babylon Labs is an express third-party beneficiary of the Security Researchers Terms & Conditions between you and Immunefi, and entitled to enforce the terms and conditions therein as if it were an original contracting party. Babylon Labs is the party designated to be the transferee of intellectual property rights under Section 7 of the Security Researchers Terms & Conditions.
-
Babylon Labs, its affiliates and licensors, and their respective directors, officers, and employees (collectively, “Babylon Parties”) will have no liability arising from or relating to your use of, or conduct in connection with this Bug Bounty Program or the Immunefi platform, other than Babylon Labs’ potential obligations to pay you a reward. To the fullest extent permitted by applicable law, under no circumstances will any Babylon Parties be responsible or liable under any theory of liability, whether based in tort, contract, negligence, strict liability, warranty, or otherwise: (a) for any direct, indirect, exemplary, special, punitive, incidental, or consequential losses or damages of any kind, including without limitation, loss of profits arising from or relating to the bug bounty program or your use of the Immunefi platform. The foregoing limitations apply even if Babylon Parties were advised of or should have known of the possibility of such losses or damages and notwithstanding any failure of essential purpose of any limited remedy. The foregoing limitations will apply even if the above stated remedy fails of its essential purpose. Some jurisdictions do not allow the limitation or exclusion of certain liabilities, and damages. Accordingly, some of the disclaimers and limitations set forth in this Agreement may not apply in full to you, but will apply to the fullest extent as permitted by applicable law.
KYC required
The submission of KYC information is a requirement for payout processing.
Proof of Concept
Proof of concept is always required for all severities.
Responsible Publication
Category 3: Approval Required
Prohibited Activities
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Any other actions prohibited by the Immunefi Rules
Feasibility Limitations
The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.
Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.