GO-2025-4236 Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration in github.com/babylonlabs-io/finality-provider

Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration in github.com/babylonlabs-io/finality-provider...

EUVD-2025-203111

Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration...

GHSA-4JMP-X7MH-RGMR Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration

Summary The anti-slashing is not effective if the attacker can access EOTS manager endpoints. Impact If the EOTS manager endpoints are open to public without HMAC protection, the attacker can manually cause slashing of the finality provider through the RPC endpoints. Report credits go to:...

Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration

Summary The anti-slashing is not effective if the attacker can access EOTS manager endpoints. Impact If the EOTS manager endpoints are open to public without HMAC protection, the attacker can manually cause slashing of the finality provider through the RPC endpoints. Report credits go to:...

Incomplete Cleanup

Overview Affected versions of this package are vulnerable to Incomplete Cleanup in the x/costaking process. An attacker can continue to accrue rewards without maintaining any actual BTC stake by exploiting a state inconsistency that occurs when a Finality Provider becomes inactive at the same blo...

GHSA-4RMQ-MC2C-R495 Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond

Summary A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis Phatom Stake even after they have fully unbonded their BTC delegation, if their Finality Provider FP drops out of the active set in the exact same babylon block height. This creates a “phantom...

Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond

Summary A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis Phatom Stake even after they have fully unbonded their BTC delegation, if their Finality Provider FP drops out of the active set in the exact same babylon block height. This creates a “phantom...

EUVD-2025-16144

Malicious code in bioql PyPI...

GO-2025-3686 Babylon Finality Provider `MsgCommitPubRandList` replay attack in github.com/babylonlabs-io/babylon

Babylon Finality Provider MsgCommitPubRandList replay attack in github.com/babylonlabs-io/babylon...

GHSA-7MM3-VFG8-7RG6 Babylon Finality Provider `MsgCommitPubRandList` replay attack

Summary A high vulnerability exists in the Babylon protocol's x/finality module due to a lack of domain separation in signed messages, combined with insufficient validation in the MsgCommitPubRandList handler. Specifically, the handler does not enforce that the submitted Commitment field is 32...