BabelFish Security Update — November
Last month, a vulnerability was found (but not exploited) in the Sovryn staking contract. Because the BabelFish staking contract is based on the same codebase as the Sovryn staking contract, the BabelFish staking contract inherited this same vulnerability. Sovryn developers confirmed that the same vulnerability existed in the BabelFish staking contract and alerted the BabelFish team. Once Sovryn developers identified a fix for the vulnerability, they shared it with the BabelFish team and BabelFish developer dharkmattr immediately began working to implement the fix in the BabelFish staking contract.
In the time since the BabelFish staking contract code was first “forked” or copied from the original Sovryn codebase, BabelFish has not kept up with updates that have been made to the Sovryn staking contract. For example, there have been several security updates on the Sovryn staking contract, including the addition of a Contract Guardian role that can pause the staking contract in response to the discovery of vulnerabilities.
Because the BabelFish staking contract was not up to date with these changes, it lacked the same pause capability. So when the most recent staking vulnerability was found, while the Sovryn Contract Guardian was able to pause the staking contract while a fix was found, BabelFish developers did not have the same luxury.
The redeeming factor here was that BabelFish Bitocracy does not currently control anything of value on-chain. While BIPs can be proposed and voted on using onchain voting, the actual execution of the BIP is carried out by the BabelFish governance multisig. So even if a hypothetical attacker did exploit any of the vulnerabilities that were present in the BabelFish staking contract, the result would have been, at worst, an inconvenience caused by the extra work that would have been needed to clean up the state of the contract.
Despite the low impact that an exploit would have had, the BabelFish team did not want to draw attention to the vulnerability and create extra work if someone did decide to exploit it. So knowledge about the existence and nature of the vulnerability was kept secret until after all necessary updates were applied to the staking contract and the vulnerability was fixed. Now the vulnerability is fixed and this post serves as the public disclosure of its existence.
Community members interested in auditing the fix can review the new staking code here and compare it to the old code here. The new contract logic has been deployed on Rootstock mainnet here.