search
Active Boosts

49671 sc insight wrong emission in stake

Submitted on Jul 18th 2025 at 03:42:01 UTC by @holydevoti0n for Attackathon | Plume Networkarrow-up-right

  • Report ID: #49671

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol

  • Impacts:

hashtag
Description

hashtag
Summary

Wrong information when emitting Staked events.

hashtag
Vulnerability Details

The Staked event is defined as follows, where the last argument is supposed to be the pendingRewards used for the staking.

/**
 * @notice Emitted when tokens are staked in the contract
 * @param staker Address of the staker
 * @param validatorId ID of the validator receiving the stake
 * @param amount Amount of tokens staked
 * @param fromCooled Amount of tokens used from cooled tokens
 * @param fromParked Amount of tokens used from parked (withdrawn) tokens
 * @param pendingRewards Amount of tokens staked from pending rewards
 */
event Staked(
    address indexed staker,
    uint16 indexed validatorId,
    uint256 amount,
    uint256 fromCooled,
    uint256 fromParked,
    uint256 pendingRewards
);

However, when emitting the events throughout StakingFacet.sol, the last argument does not always represent pendingRewards. For example:

Example 1:

Example 2:

In the examples above, the staking didn't actually use any pending rewards — the amount comes from the transaction value (msg.value) — but the event is emitted with pendingRewards equal to the staked amount.

hashtag
Impact

Off-chain consumers reading the Staked event may believe the stake used pending rewards, while it was actually funded via the transaction value. This can cause incorrect reporting in dashboards and trackers.

hashtag
Recommendation

Pass the correct pendingRewards value when emitting Staked in functions that do not consume pending rewards. For the two examples above, replace the last argument with 0:

Suggested change for stake:

Suggested change for stakeOnBehalf:

hashtag
Proof of Concept

  1. User stakes 1 ETH:

    • contract.stake{value: 1}(validatorId);

  2. stake processes the stake and emits:

    • emit Staked(staker, validatorId, stakeAmount, 0, 0, stakeAmount);

  3. Off-chain listeners will report that pending rewards were used for staking, while the stake was funded by the transaction value.

Previous52706 sc low multi quantity prize claims revert until all winners are drawn freezing early winnersNext50252 sc high rounding excess yield tokens become permanently stuck when last holder is yield restricted

Was this helpful?