search
Active Boosts

51457 sc low getaccruedcommission reverts when token was removed instead of returning the accrued commission

  • Report ID: #51457

  • Report Type: Smart Contract

  • Report severity: Low

Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

circle-exclamation

Severity: Low — function reverts when it should return a claimable value for a historical reward token.

hashtag
Description

hashtag
Brief/Intro

When a reward token is removed, ValidatorFacet::getAccruedCommission() reverts even though the accrued commission can still be claimed.

hashtag
Vulnerability Details

Reward tokens can be added and later removed. When adding a reward token, it becomes both a historical reward token and a currently active reward token. When removing a reward token, it remains a historical reward token to allow claiming of rewards for removed reward tokens. This also includes validator commission claims.

However, when a token was added as a reward token, accumulated commission, and was then removed, the ValidatorFacet::getAccruedCommission() function reverts even though there is accrued commission that can still be claimed.

hashtag
Impact Details

ValidatorFacet::getAccruedCommission() reverts when the specified token has been removed, even though the commission can still be claimed.

hashtag
References

Code references (kept as-is):

  • RewardsFacet::addRewardToken — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/RewardsFacet.sol#L153-L202

  • RewardsFacet::removeRewardToken — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c204/plume/src/facets/RewardsFacet.sol#L210-L250

  • ValidatorFacet::getAccruedCommission — https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/ValidatorFacet.sol#L957-L959

hashtag
Proof of Concept

1

hashtag
Add a reward token

Call RewardsFacet::addRewardToken() to add a token as a reward token.

Reference: https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/RewardsFacet.sol#L153-L202

2

hashtag
Accrue commission

Some time passes and a validator accrues commission for the added reward token.

3

hashtag
Remove the reward token

Call RewardsFacet::removeRewardToken() to remove the reward token.

Reference: https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/RewardsFacet.sol#L210-L250

4

hashtag
Observe revert when querying accrued commission

Call ValidatorFacet::getAccruedCommission() for that token. The function reverts (see reference below), even though the commission can still be claimed. The function should return the commission for historical tokens as well.

Reference: https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/facets/ValidatorFacet.sol#L957-L959

Previous52446 sc low withdrawing unsold tokens desynchronizes sale accountingNext52925 sc medium usdt like approval hygiene can block subsequent operations after partial fill leaves non zero allowance

Was this helpful?