51476 sc medium validators can t claim their accrued commission if they are made inactive

Submitted on Aug 3rd 2025 at 07:41:23 UTC by @WinSec for Attackathon | Plume Network

Report ID: #51476
Report Type: Smart Contract
Report severity: Medium
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Impacts:
- Theft of unclaimed yield

Description

Brief/Intro

Validators lose their accrued commission if they are made inactive.

Vulnerability Details

requestCommissionClaim has a check:

        if (!validator.active || validator.slashed) {
            revert ValidatorInactive(validatorId);
        }

Which means if the validator is not active then they can't claim commission. This is contradictory to the rules that apply to users:

when users call claim it calls _validateValidatorForClaim:

    function _validateValidatorForClaim(
        uint16 validatorId
    ) internal view {//@audit-ok only cheks if the
        PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();

        if (!$.validatorExists[validatorId]) {
            revert ValidatorDoesNotExist(validatorId);
        }
        // Allow claims from slashed validators - users should be able to claim preserved rewards
        // Only reject if validator doesn't exist
    }

Users are allowed to claim from slashed validators as well as inactive validators, as long as the validator exists. But validators who have accrued commission and aren't malicious and not slashed — if they are made inactive — cannot claim their commission and thus lose it unless reactivated.

Impact Details

Validators lose their accrued commission.

References

https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol#L507

Proof of Concept

Step

Validator is active and earning commission on stakes for multiple reward periods.

Step

Validator accumulates significant commission (e.g., 1000 USDC) over time but hasn't claimed yet.

Step

Admin marks validator as inactive for legitimate reasons (maintenance, compliance, protocol upgrade).

Step

Validator attempts to claim their rightfully earned commission via requestCommissionClaim.

Step

Transaction reverts with ValidatorInactive(validatorId) despite commission being earned while active.

Step

Users can still claim rewards from the same inactive validator without any restrictions.

Step

Validator's earned commission becomes permanently inaccessible unless reactivated.

Previous52449 sc high broken streaks still pass jackpot eligibility in spin contract Next49710 sc high cross batch state manipulation in yield distribution allows double dipping of yield funds

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of Concept

hashtagStep

hashtagStep

hashtagStep

hashtagStep

hashtagStep

hashtagStep

hashtagStep

Description

Brief/Intro

Vulnerability Details

Impact Details

References

Proof of Concept

Step

Step

Step

Step

Step

Step

Step