50490 sc high user loses reward tokens during validator user relationship clearing

Submitted on Jul 25th 2025 at 10:38:44 UTC by @oxrex for Attackathon | Plume Network

• Report ID: #50490

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ManagementFacet.sol

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

Validator-user relationship for reward tokens not yet claimed but accrued from last user interaction timestamp up until validator slash timestamp will be lost once validator-user record is cleared as the user's stake will now be 0 and multiplying pending rewards by 0 would yield 0.

Vulnerability Details

userValidatorStakes[user][slashedValidatorId].staked tracks how much the user stakes to a validator and thus is used for reward calculation for the user based on the staked amount. However:

Relevant code excerpt:

 function adminClearValidatorRecord(
        address user,
        uint16 slashedValidatorId
    ) external onlyRole(PlumeRoles.ADMIN_ROLE) {
        PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();

        if (user == address(0)) {
            revert ZeroAddress("user");
        }
        if (!$.validatorExists[slashedValidatorId]) {
            revert ValidatorDoesNotExist(slashedValidatorId);
        }
        if (!$.validators[slashedValidatorId].slashed) {
            revert ValidatorNotSlashed(slashedValidatorId);
        }

        uint256 userActiveStakeToClear = $.userValidatorStakes[user][slashedValidatorId].staked;
        PlumeStakingStorage.CooldownEntry storage cooldownEntry = $.userValidatorCooldowns[user][slashedValidatorId];
        uint256 userCooledAmountToClear = cooldownEntry.amount;

        bool recordChanged = false;

        if (userActiveStakeToClear > 0) {
@>            $.userValidatorStakes[user][slashedValidatorId].staked = 0;
            // Decrement user's global stake
            if ($.stakeInfo[user].staked >= userActiveStakeToClear) {
                $.stakeInfo[user].staked -= userActiveStakeToClear;
            } else {
                $.stakeInfo[user].staked = 0; // Should not happen if state is consistent
            }
            emit AdminClearedSlashedStake(user, slashedValidatorId, userActiveStakeToClear);
            recordChanged = true;
        }

        ...

        if ($.userHasStakedWithValidator[user][slashedValidatorId] || recordChanged) {
            PlumeValidatorLogic.removeStakerFromValidator($, user, slashedValidatorId);
        }
    }

Impact Details

Since the validator-user relationship is now cleared, the users will lose reward tokens that were not yet claimed up until the timestamp the slash occurred. Also, the user's userValidatorRewardPerTokenPaidTimestamp[user][validatorId][token] = block.timestamp will now point to the block.timestamp for an unpaid amount.

The suggested fix is to add an if check inside the adminClearValidatorRecord() function that verifies whether the user has already had their rewards accounted up to (or beyond) the slash timestamp, for example:

This check guarantees that if the user's reward-per-token paid timestamp is less than the slash timestamp, the user hasn't claimed rewards up until the timestamp of the slash yet. When they do claim rewards, userValidatorRewardPerTokenPaidTimestamp will point to either the slash timestamp (if claimed in the same block) or above it (if claimed afterwards).

The PoC provided in the PoC section can be pasted in the PlumeStakingDiamond.t.sol test file and be run with verbosity of 3 (-vvv) to see the resulting reward balance of the users as the rewards were unable to be claimed.

References

https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ManagementFacet.sol#L389-L445

Proof of Concept