51455 sc low inflated earned ui rewards when validator stake is zero due to missing totalstaked guard in view logic

Submitted on Aug 3rd 2025 at 00:12:53 UTC by @Rhaydden for Attackathon | Plume Network

Report ID: #51455
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeRewardLogic.sol
Impacts:
- Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

calculateRewardsWithCheckpointsView keeps accruing reward-per-token during any period where a validator’s totalStaked is zero, whereas the state-changing path (updateRewardPerTokenForValidator) correctly stops accrual. The mismatch causes earned() and all UI displays to show rewards users can never claim.

Vulnerability Details

In PlumeRewardLogic.sol (view path):

// VIEW path
uint256 rptIncreaseInSegment = segmentDuration * rateForSegment;
simulatedCumulativeRPT += rptIncreaseInSegment;

The loop runs for every time segment with a non zero reward rate. There is no check that the validator actually has stake during the segment.

Opposite of what the state-changing path does:

// STATE-CHANGING path
if (totalStaked > 0) {
    uint256 rewardPerTokenIncrease = timeSinceLastUpdate * effectiveRewardRate;
    $.validatorRewardPerTokenCumulative[validatorId][token] += rewardPerTokenIncrease;
}

When totalStaked == 0, the cumulative value on chain is frozen and only validatorLastUpdateTimes is advanced. Because the view function starts its simulation from that stored timestamp, it integrates reward rate across the zero-stake window, inflating simulatedCumulativeRPT. _calculateRewardsCore then computes an overstated user delta, so earned() differs from the value that will be paid by claim().

Conditions required for the discrepancy:

Validator is active but has momentarily zero stake (all delegators withdrew).

Reward rate for the token > 0.

No transaction hits updateRewardPerTokenForValidator during that interval (common when there is no stake).

Every second that passes, the gap between displayed and claimable rewards widens.

Impact Details

Low – contract fails to deliver promised returns, but doesn't lose value. Users see larger rewards than they can claim.

Fix

Add a stake guard identical to the state-changing path:

if ($.validatorTotalStaked[validatorId] > 0 && rateForSegment > 0) {
    simulatedCumulativeRPT += segmentDuration * rateForSegment;
}

References

https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/lib/PlumeRewardLogic.sol#L907-L909

Proof of Concept

Add validator V with reward rate R > 0.

Delegate 100 tokens to V. Wait 1 hour; call earned(user, V) -> returns E1.

User withdraws entire stake (totalStake becomes 0). Do nothing else for 2 hours.

Call earned(user, V) again -> returns E2 where E2 - E1 ≈ 2 h * R.

Now call claim(user, V); the user only receives E1 (plus small rounding), proving the extra 2 hours of rewards were never claimable.

Previous50949 sc insight no check if raffle actually has enough funds Next52436 sc low getaccruedcommission could return an inaccurate value

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagFix

hashtagReferences

hashtagProof of Concept