51457 sc low getaccruedcommission reverts when token was removed instead of returning the accrued commission

• Report ID: #51457

• Report Type: Smart Contract

• Report severity: Low

Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol

Impacts:

• Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

When a reward token is removed, ValidatorFacet::getAccruedCommission() reverts even though the accrued commission can still be claimed.

Vulnerability Details

Reward tokens can be added and later removed. When adding a reward token, it becomes both a historical reward token and a currently active reward token. When removing a reward token, it remains a historical reward token to allow claiming of rewards for removed reward tokens. This also includes validator commission claims.

However, when a token was added as a reward token, accumulated commission, and was then removed, the ValidatorFacet::getAccruedCommission() function reverts even though there is accrued commission that can still be claimed.

Impact Details

ValidatorFacet::getAccruedCommission() reverts when the specified token has been removed, even though the commission can still be claimed.

References

Code references (kept as-is):

• RewardsFacet::addRewardToken — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/RewardsFacet.sol#L153-L202

• RewardsFacet::removeRewardToken — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c204/plume/src/facets/RewardsFacet.sol#L210-L250

• ValidatorFacet::getAccruedCommission — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/ValidatorFacet.sol#L957-L959

Proof of Concept