N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4jmp-x7mh-rgmr

GHSA-4jmp-x7mh-rgmr: Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration

Summary

The anti-slashing is not effective if the attacker can access EOTS manager endpoints.

Impact

If the EOTS manager endpoints are open to public without HMAC protection, the attacker can manually cause slashing of the finality provider through the RPC endpoints

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4jmp-x7mh-rgmr

GHSA-4jmp-x7mh-rgmr:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/babylonlabs-io/finality-provider	go	<= 1.0.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis of babylonlabs-io/finality-provider commit 721bf5b7a271ada1679a67496c9bc3516c339390 reveals two distinct but related security issues that were addressed.

First, the advisory highlights that the anti-slashing mechanism could be bypassed. The root cause was the UnsafeSignEOTS RPC endpoint, which, as its name implies, does not enforce slashing protection. This endpoint was enabled by default and, if exposed without proper HMAC authentication, would allow an attacker to submit signing requests that could lead to the finality provider being slashed. The patch mitigates this by introducing a new configuration option, DisableUnsafeEndpoints, which is set to true by default, effectively disabling this dangerous endpoint unless explicitly enabled for testing or other specific purposes.

Second, the patch addresses a key aliasing vulnerability within the LocalEOTSManager. The SignEOTS and its helper function getEOTSPrivKey were flawed. An attacker could associate their own public key with a victim's key name in the system. When a signing request was made with the attacker's public key, the system would resolve it to the victim's key name, retrieve the victim's private key, and sign the attacker's message. The vulnerability existed because the code did not verify that the public key in the signing request matched the public key corresponding to the private key retrieved from the keyring. The fix involves adding an explicit verification step after key retrieval to ensure the public keys match, thus preventing this impersonation attack.

Both vulnerabilities could lead to unauthorized signing operations and financial loss through slashing. The identified vulnerable functions are the ones that either directly exposed the unsafe operation (UnsafeSignEOTS) or contained the flawed logic that allowed for key aliasing (SignEOTS, getEOTSPrivKey).

Vulnerable functions

service.rpcServer.UnsafeSignEOTS

eotsmanager/service/rpcserver.go

This function allows signing EOTS messages without slashing protection. The vulnerability lies in this endpoint being accessible, potentially without proper authentication, allowing an attacker to trigger slashing events. The patch disables this endpoint by default via a new configuration flag.

eotsmanager.LocalEOTSManager.SignEOTS

eotsmanager/localmanager.go

This function was vulnerable to a key aliasing attack. An attacker could make the server sign a message with a victim's private key by providing the attacker's public key but tricking the key storage to resolve to the victim's key. The patch adds a verification step to ensure the public key provided in the request matches the public key of the retrieved private key.

eotsmanager.LocalEOTSManager.getEOTSPrivKey

eotsmanager/localmanager.go

This helper function, used by `SignEOTS`, contained the same key aliasing vulnerability. It would retrieve a private key based on a key name derived from a public key, without verifying that the retrieved key actually corresponds to the provided public key. The patch adds the necessary verification.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4jmp-x7mh-rgmr: Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration

Summary

Impact

GHSA-4jmp-x7mh-rgmr:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

GHSA-4jmp-x7mh-rgmr: Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration

Summary

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI