GHSA-869w-47c6-fq8q: 
vulnerability analysis and mitigation

The vulnerability (GHSA-869w-47c6-fq8q) affects the Babylon blockchain platform's distribution module, specifically in the CumulativeRewardRatio calculation functionality. The issue was discovered and published on May 13, 2025, affecting versions <= 1.0.2 of the babylonlabs-io/babylon package (GitHub Advisory).

The vulnerability stems from an integer overflow condition in the distribution module's CumulativeRewardRatio calculation. The issue manifests when processing large token amounts that are transferred through IBC and subsequently deposited in the validator rewards pool using the DepositValidatorRewardsPool message. The calculation occurs in the x/epoching module EndBlocker. The vulnerability has been assigned a CVSS v4 score of 8.2 (High), with attack vector being Network, attack complexity Low, and no privileges or user interaction required (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service condition affecting the Babylon Genesis chain. When the integer overflow occurs during the CumulativeRewardRatio calculation, it triggers a panic in the EndBlocker, which results in a complete halt of the blockchain (GitHub Advisory).

A patch has been released in version 1.1.0 of the babylonlabs-io/babylon package. Users are advised to upgrade to this version to mitigate the vulnerability (GitHub Advisory).