GHSA-56j4-446m-qrf6: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-56j4-446m-qrf6) was identified in Babylon versions prior to 2.2.0, where sending transactions with fees different than the native Babylon genesis denomination (ubbn) could lead to a chain halt. The vulnerability was discovered and disclosed on June 28, 2025, and was patched in version 2.2.0 (GitHub Advisory).

The vulnerability stems from a panic in the x/distribution module BeginBlocker triggered by an error when sending fees from the feeCollector to the x/distribution module. The issue occurs specifically when transaction fees are denominated in tokens other than the native 'ubbn' denomination. The vulnerability has been assigned a CVSS score of 8.7 (High), with attack vectors including Network accessibility, Low attack complexity, and No privileges required (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service condition that results in a complete halt of the Babylon Genesis chain. This occurs due to the panic in the distribution module's BeginBlocker functionality when processing non-native fee denominations (GitHub Advisory).

The vulnerability has been patched in Babylon version 2.2.0. The fix implements bank restrictions for the fee collector account, ensuring that only the default bond denomination (ubbn) is allowed for fee transactions (Babylon Commit).