GHSA-4rmq-mc2c-r495

Source

https://github.com/advisories/GHSA-4rmq-mc2c-r495

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4rmq-mc2c-r495

Aliases

GO-2025-4214

Published

2025-12-09T14:25:03Z

Modified

2025-12-15T19:56:17.439286Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond

Details

Summary

A state consistency bug in x/costaking can leave a BTC delegator with non-zero ActiveSatoshis (Phatom Stake) even after they have fully unbonded their BTC delegation, if their Finality Provider (FP) drops out of the active set in the exact same babylon block height. This creates a “phantom stake”: the delegator’s BTC capital is withdrawn, the FP is inactive, but costaking continues to treat the delegation as active BTC stake allowing ongoing rewards accrual without backing BTC.

Impact

An address can keep earning costaking rewards with zero BTC staked.

Reported by @BottyBott.

Database specific

{
    "github_reviewed_at": "2025-12-09T14:25:03Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-459"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

github.com/babylonlabs-io/babylon/v4

Package

Name: github.com/babylonlabs-io/babylon/v4; View open source insights on deps.dev
Purl: pkg:golang/github.com/babylonlabs-io/babylon/v4

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json"

github.com/babylonlabs-io/babylon/v3

Package

Name: github.com/babylonlabs-io/babylon/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/babylonlabs-io/babylon/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.0.0-snapshot.250805a

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json"

github.com/babylonlabs-io/babylon/v2

Package

Name: github.com/babylonlabs-io/babylon/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/babylonlabs-io/babylon/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json"

github.com/babylonlabs-io/babylon

Package

Name: github.com/babylonlabs-io/babylon; View open source insights on deps.dev
Purl: pkg:golang/github.com/babylonlabs-io/babylon

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json"