Babylon Labs
Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.
Triaged by Immunefi
PoC required
KYC required
Arbitration enabled
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
For the Unbonding Pipeline Process, the following code components and branches are in-scope:
Everything here https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/, except the following test commands:
- createStakingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createStakingTxCmd.go
- createUnbondingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createUnbondingTxCmd.go
- createWithdrawTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createWithdrawTxCmg.go
For the EOTS Manager program, the following code components and branches are in-scope:
https://github.com/babylonlabs-io/finality-provider/tree/v0.4.x/eotsmanager – only code associated with the eotsd init, eotsd keys add, eotsd sign-schnorr, and the eotsd verify-schnorr-sig commands is in scope. The EOTS manager daemon functionality is not in scope.
Execute arbitrary system commands
Direct loss of funds
Subdomain takeover with already-connected wallet interaction
Permanent freezing of funds
Retrieve the private key of a covenant committee member
Leakage of EOTS private keys without the holder double-signing
Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Making trades
Direct theft of user funds or causing their freezing
Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames etc with no operational impact)
Malicious interactions with an already-connected wallet without user interaction, such as: Modifying transaction arguments or parameters, Submitting malicious transactions
Subdomain takeover without already-connected wallet interaction
Generation of invalid EOTS keys
Out of scope
Additional Blockchain/DLT Specific:
- Impacts involving centralization risks
- Impacts involving Bitcoin not being live or safe.
- Impacts involving a quorum of the covenant committee being malicious.
- Impacts involving a quorum of the covenant committee not being able to be reached due to a full quorum not being live.
- Impacts involving the confirmation depth on the global parameters being set to an improperly low value.
- Impacts involving a user’s staking transaction being included in a Bitcoin block in which different global parameters than the ones the user used apply.
Prohibited Activities:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles, third-party smart contracts or cloud services
- Attempting phishing or other social engineering attacks against our employees, and/or customers, service providers and community members
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Blockchain/DLT specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers