BIP-0004: Staking contract update
The BabelFish staking contract was paused due to a security vulnerability that allowed for voting power theft. Specifically, a small amount of FISH could be staked at the same time and date as an existing stake, with a new delegate address passed as a parameter. This new delegate address would then receive the complete voting power of the stake. To fix this vulnerability and other issues, this BIP proposes several changes, including code refactoring and bug fixes, to the BabelFish staking contract.
The BabelFish staking and Bitocracy are a fork of Sovryn, with the initial intention of developing them further. However, it was later decided that this would be a waste of time and resources. Thus, it was concluded that the best way to move forward is to update and keep the staking contract up to date with the current version used by Sovryn. Updating the BabelFish staking contract to be compatible with Sovryn’s version was a big effort and very complex due to the changes required.
- Updating BabelFish staking contract to the version used by Sovryn, as updated staking contract code base will be easier to maintain going forward.
- Applying fixes to the discovered vulnerabilities:
The staking contract was vulnerable to voting power theft, which allowed a user to delegate voting power associated with a specific stake by staking an arbitrarily small amount of FISH for the user at the same date and time, and passing a new delegate as a parameter. As a result, the complete voting power of this stake was delegated to the passed delegate address.
The guard against multiple manipulations of the same stake on a single transaction can be circumvented because it is checking for the message sender address instead of the address to which the stake actually belongs.
- Separating the staking contract code into multiple modules, which can be deployed individually - due to the contract reaching the maximum possible EIP-170 solidity contract size.
The previous version of the contract, which is currently on the mainnet, can be found at:
The updated version, which has been deployed to testnet, can be found at:
Although not all changes were required by BabelFish, having the same base code was important to maintain compatibility and enable further updates if needed. For more detailed information on all the changes implemented by Sovryn, please refer to SIP-0049 and SIP-0058: