51493 sc insight misleading view function documentation

Submitted on Aug 3rd 2025 at 11:20:30 UTC by @heavyw8t for Attackathon | Plume Network

Report ID: #51493
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/RewardsFacet.sol
Impacts: (none specified)

Brief/Intro

The _earned function in RewardsFacet.sol is documented as an "Internal View Function" but actually modifies state by calling calculateRewardsWithCheckpoints(), which updates storage variables.

Vulnerability Details

See POC

Impact Details

Insight: The documentation is incorrect and misleading.

Proof of Concept

Proof of Concept — details

The function comment states "Internal View Function (earned)," but the implementation calls PlumeRewardLogic.calculateRewardsWithCheckpoints(), which in turn calls updateRewardPerTokenForValidator(). This function modifies several storage variables:

$.validatorLastUpdateTimes[validatorId][token] = block.timestamp
$.validatorRewardPerTokenCumulative[validatorId][token] += rewardPerTokenIncrease
$.validatorAccruedCommission[validatorId][token] += commissionDeltaForValidator

Previous51276 sc low arctokenpurchase re enabling active token sales causes accounting corruption and token loss Next50977 sc low tellerwithmultiassetsupportpredicateproxy contract cannot be emergency paused

Was this helpful?

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

Vulnerability Details

Impact Details

Proof of Concept