50425 sc high active non slashed validators cannot claim rewards when a reward token is disabled

Submitted on Jul 24th 2025 at 13:30:05 UTC by @oxrex for Attackathon | Plume Network

Report ID: #50425
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Impacts:
- Temporary freezing of funds for at least 24 hours

Description

Brief/Intro

When a reward token is disabled, the intent is to allow validators as well as users to claim the accrued rewards up until the timestamp the disabled token became disabled. However, for validators there exists an edge case that is not handled correctly.

Vulnerability Details

When a reward token is disabled, no further requestCommissionClaim() function call will be possible for all validators because the function uses the modifier _validateIsToken which ensures the isRewardToken[token] bool for the reward token in question must be true, otherwise it reverts. Since, during deactivation of a reward token, the contract:

Step: Accrue final rewards for validators

Accrue all rewards up until block timestamp for all validators and save it in each validator's validatorAccruedCommission[validatorId][token].

Step: Disable the reward token

Set the isRewardToken[token] bool to false for the said token.

It will now not be possible for validators to request commission claim for the accrued commissions because requestCommissionClaim will revert with the message: TokenDoesNotExist.

Relevant snippet from ValidatorFacet.sol:

modifier _validateIsToken(
    address token
) {
    if (!PlumeStakingStorage.layout().isRewardToken[token]) {
        revert TokenDoesNotExist(token);
    }
    _;
}

function requestCommissionClaim(
    uint16 validatorId,
    address token
)
    external
    onlyValidatorAdmin(validatorId)
    nonReentrant
    _validateValidatorExists(validatorId)
    _validateIsToken(token)
{
    PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();
    PlumeStakingStorage.ValidatorInfo storage validator = $.validators[validatorId];

    if (!validator.active || validator.slashed) {
        revert ValidatorInactive(validatorId);
    }

    // Settle commission up to now to ensure accurate amount
    PlumeRewardLogic._settleCommissionForValidatorUpToNow($, validatorId);

    uint256 amount = $.validatorAccruedCommission[validatorId][token];
    if (amount == 0) {
        revert InvalidAmount(0);
    }
    if ($.pendingCommissionClaims[validatorId][token].amount > 0) {
        revert PendingClaimExists(validatorId, token);
    }
    address recipient = validator.l2WithdrawAddress;
    uint256 nowTs = block.timestamp;
    $.pendingCommissionClaims[validatorId][token] = PlumeStakingStorage.PendingCommissionClaim({
        amount: amount,
        requestTimestamp: nowTs,
        token: token,
        recipient: recipient
    });
    // Zero out accrued commission immediately
    $.validatorAccruedCommission[validatorId][token] = 0;

    emit CommissionClaimRequested(validatorId, token, recipient, amount, nowTs);
}

Relevant snippet from RewardsFacet.sol showing token removal flow:

function removeRewardToken(
    address token
) external onlyRole(PlumeRoles.REWARD_MANAGER_ROLE) {
    ...

    // Update validators (bounded by number of validators, not users)
    for (uint256 i = 0; i < $.validatorIds.length; i++) {
        uint16 validatorId = $.validatorIds[i];

        // Final update to current time to settle all rewards up to this point
        PlumeRewardLogic.updateRewardPerTokenForValidator($, token, validatorId); // updates validator rewards into `validatorAccruedCommission[validatorId][token]`

        // Create a final checkpoint with a rate of 0 to stop further accrual definitively.
        PlumeRewardLogic.createRewardRateCheckpoint($, token, validatorId, 0);
    }

    // Set rate to 0 to prevent future accrual. This is now redundant but harmless.
    $.rewardRates[token] = 0;
    // DO NOT delete global checkpoints. Historical data is needed for claims.
    // delete $.rewardRateCheckpoints[token];

    // Update the array
    $.rewardTokens[tokenIndex] = $.rewardTokens[$.rewardTokens.length - 1];
    $.rewardTokens.pop();

    // Update the mapping
    $.isRewardToken[token] = false; // marks the token status as false

    delete $.maxRewardRates[token];
    emit RewardTokenRemoved(token);
}

Impact Details

When the reward token is deactivated, accrued rewards that were calculated and updated for each of the validators cannot be requested, and calling forceSettleValidatorCommission() does not fix it because that function only accrues rewards for the validators without actually sending out the rewards.

Users are able to claim accrued rewards for the tokens, but validators cannot — even though they are still active / not slashed and should be able to claim the accrued commission for the period up to deactivation.

Suggested fix (described by reporter): allow validators to request claim for accrued rewards up to the timestamp the token was deactivated. Concretely, modify the request logic to allow requests when the validator is active, not slashed, the reward token is deactivated, and validatorAccruedCommission[validatorId][token] != 0.

References

https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol?utm_source=immunefi#L126-L133
https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol?utm_source=immunefi#L508

Proof of Concept

Add the PoC test below in the PlumeStakingDiamondTest test file and run the test with verbosity of 3 (-vvv). You can comment in the vm.expectRevert(); to actually see the test failing in the console if desired.

function testAfterRewardTokenRemovedValidatorCommissionLoss() public {

    address targetAdmin40 = makeAddr("p_targetAdmin40");
    vm.label(targetAdmin40, "p_targetAdmin40");
    vm.deal(targetAdmin40, 0.000001 ether); // for paying gas by validator admin

    vm.startPrank(admin);

    // Add validators for testing
    ValidatorFacet(address(diamondProxy)).addValidator(
        40,
        5e16,
        targetAdmin40,
        targetAdmin40,
        "target40",
        "target40",
        address(0x40),
        1_000_000 ether
    );
    vm.stopPrank();

    address staker1 = makeAddr("staker1");
    address staker2 = makeAddr("staker2");

    vm.deal(staker1, 501_000e18);
    vm.deal(staker2, 501_000e18);

    vm.startPrank(staker1);
    StakingFacet(payable(address(diamondProxy))).stake{
        value: 500_000e18}(40);
    vm.stopPrank();

    vm.startPrank(staker2);
    StakingFacet(payable(address(diamondProxy))).stake{
        value: 500_000e18}(40);
    vm.stopPrank();

    vm.warp(block.timestamp + 86400);
    vm.roll(block.number + 7200);
    console2.log("Time: ", block.timestamp);

    vm.startPrank(admin);
    RewardsFacet(address(diamondProxy)).removeRewardToken(PLUME_NATIVE);
    vm.stopPrank();

    vm.warp(block.timestamp + 86400);
    vm.roll(block.number + 7200);
    console2.log("Time: ", block.timestamp);

    vm.startPrank(targetAdmin40);
    vm.expectRevert(); // the function will revert here in this next call
    ValidatorFacet(address(diamondProxy)).requestCommissionClaim(40, PLUME_NATIVE);
    vm.stopPrank();

    vm.startPrank(targetAdmin40);
    ValidatorFacet(address(diamondProxy)).forceSettleValidatorCommission(40);
    vm.stopPrank();

    console2.log("Validator balance in PLUME: ", targetAdmin40.balance); // only the gas amount the validator admin/receiver had before is still there. no new PLUME received
}

Previous49868 sc insight raffle sol does not enforce prize endtimestamp allowing user and admin interactions with expired prizes Next49863 sc critical dex aggregator erc20 token theft

Was this helpful?