50551 sc low staked dust positions are not properly prevented

Submitted on Jul 25th 2025 at 23:27:47 UTC by @a16 for Attackathon | Plume Network

• Report ID: #50551

• Report Type: Smart Contract

• Report severity: Low

• Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol

• Impacts:

  • Unbounded gas consumption

Description

Brief / Intro

While the staking mechanism validates that amounts below minStakeAmount cannot be directly staked, it is still possible to have less than the minimal amount staked by partially unstaking.

Vulnerability Details

When calling stake(), restake() or stakeOnBehalf(), the staked amount is eventually compared to minStakeAmount, reverting if it’s smaller than that minimum. However, by first calling stake for an amount larger than that minimum and then calling unstake() for almost all of what was staked, a staked position with a dust value would remain without handlePostUnstakeCleanup() being called.

Impact Details

While there’s no immediate impact (beyond increased gas consumption for anyone iterating over those staked positions), it’s not advisable to allow staked positions to hold amounts smaller than the designated minimum. A malicious user could purposely open many dust positions (albeit needing to wait the cooldown period to retrieve the unstaked amounts), potentially using it as a way to spam, incur greater gas costs or cause DoS if it reaches levels beyond the block gas limit.

Severity

While this issue could potentially lead to an impact classified as “Medium” (Unbounded gas consumption), practical limitations together with economic disincentives and a lack of any clear motive for the attacker make it an issue that would be better classified as “Low” (or even an “insight”).

Proof of Concept