50783 sc low validator percentage cap does not work properly

Submitted on Jul 28th 2025 at 14:39:50 UTC by @holydevoti0n for Attackathon | Plume Network

Report ID: #50783
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol
Impacts: Contract fails to deliver promised returns, but doesn't lose value

Description

Brief / Intro

The maxValidatorPercentage enforcement is unfair because it doesn't rebalance existing validators who exceeded the cap before it was introduced. Additionally, if the cap is raised to 100%, a single validator can hold 99.9% of the stake, since the cap is calculated based on totalStaked.

Vulnerability Details

Validation of the validator percentage in StakingFacet.sol:_validateValidatorPercentage():

    function _validateValidatorPercentage(
        uint16 validatorId, uint256 stakeAmount
    ) internal view {
        PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();
        uint256 previousTotalStaked = $.totalStaked - stakeAmount;

        // Check if exceeding validator percentage limit
        if (previousTotalStaked > 0 && $.maxValidatorPercentage > 0) {
            uint256 newDelegatedAmount = $.validators[validatorId].delegatedAmount;
@>            uint256 validatorPercentage = (newDelegatedAmount * 10_000) / $.totalStaked;
@>            if (validatorPercentage > $.maxValidatorPercentage) {
                revert ValidatorPercentageExceeded();
            }
        }
    }

The check only prevents new stakes that would exceed the limit, but doesn't address existing validators who already exceed the percentage cap.
Example scenario: System starts with maxValidatorPercentage = 0, Validator A accumulates 70% of total stake, then admin sets maxValidatorPercentage = 50%. Validator A remains at 70% while new validators can grow up to 50%, creating asymmetric percentages (70 + 50 = 120%).

Impact Details

Validators that exceeded the cap before enforcement can keep their oversized stake, giving them an unfair long-term advantage.
Validators below the cap can still grow up to the cap, resulting in an asymmetric total where multiple validators can exceed 100% combined when some were grandfathered above the cap.

Proof of Concept

Initial state

System starts with maxValidatorPercentage = 0.
Validator A accumulates 70% of total stake.

After admin changes cap

Admin sets maxValidatorPercentage = 50%.
Validator A remains at 70% (no rebalance).
Validator B (at 10%) can grow to 50%.
Resulting effective percentages can sum to more than 100% (e.g., 70% + 50% = 120%).

References

https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/StakingFacet.sol#L147-L162

Previous52961 sc high theft of yield from the distributor Next51320 sc low malicious teller parameter allow event data manipulation

Was this helpful?

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagInitial state

hashtagAfter admin changes cap

hashtagReferences