Headline
GHSA-m6wq-66p2-c8pc: Babylon Nil BlockHash in BLS vote extensions triggers panics in consensus handlers
Summary
A vulnerability exists in Babylon’s BLS vote extension processing where a malicious active validator can submit a VoteExtension with the block_hash field omitted from the protobuf serialization. Because protobuf fields are optional, unmarshalling succeeds but leaves BlockHash as nil. Babylon then dereferences this nil pointer in consensus-critical code paths (notably VerifyVoteExtension, and also proposal-time vote verification), causing a runtime panic.
Impact
Intermittent validator crashes at epoch boundaries, which would slow down the creation of the epoch boundary block.
Finder
Vulnerability discovered by:
- @GrumpyLaurie55348
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-m6wq-66p2-c8pc
Babylon Nil BlockHash in BLS vote extensions triggers panics in consensus handlers
High severity GitHub Reviewed Published Dec 8, 2025 in babylonlabs-io/babylon • Updated Dec 8, 2025
Package
gomod github.com/babylonlabs-io/babylon (Go)
Affected versions
<= 1.1.0
gomod github.com/babylonlabs-io/babylon/v2 (Go)
gomod github.com/babylonlabs-io/babylon/v3 (Go)
<= 3.0.0-snapshot.250805a
gomod github.com/babylonlabs-io/babylon/v4 (Go)
Summary
A vulnerability exists in Babylon’s BLS vote extension processing where a malicious active validator can submit a VoteExtension with the block_hash field omitted from the protobuf serialization. Because protobuf fields are optional, unmarshalling succeeds but leaves BlockHash as nil. Babylon then dereferences this nil pointer in consensus-critical code paths (notably VerifyVoteExtension, and also proposal-time vote verification), causing a runtime panic.
Impact
Intermittent validator crashes at epoch boundaries, which would slow down the creation of the epoch boundary block.
Finder
Vulnerability discovered by:
- @GrumpyLaurie55348
References
- GHSA-m6wq-66p2-c8pc
- babylonlabs-io/babylon@f79ad58
Published to the GitHub Advisory Database
Dec 8, 2025