GHSA-56j4-446m-qrf6: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-56j4-446m-qrf6) was identified in Babylon versions prior to 2.2.0, where sending transactions with fees in denominations other than the native Babylon genesis denomination (ubbn) could lead to a chain halt. The vulnerability was discovered and disclosed on June 28, 2025, affecting the babylonlabs-io/babylon repository (GitHub Advisory).

The vulnerability stems from a panic in the x/distribution module BeginBlocker, which is triggered by an error when sending fees from the feeCollector to the x/distribution module. The issue received a CVSS v4.0 score of 8.7 (High), with the following metrics: Network Attack Vector, Low Attack Complexity, No Attack Requirements, No Privileges Required, and No User Interaction needed. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions) (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service condition that results in a complete halt of the Babylon Genesis chain. When transactions with non-ubbn fees are processed, the system encounters a critical error during the fee collection and distribution process, leading to a system-wide failure (GitHub Advisory).

The vulnerability has been patched in version 2.2.0 of the Babylon software. The fix implements bank restrictions for the fee collector account, ensuring that only the default bond denomination (ubbn) is accepted for fee transactions (GitHub Commit).