search
Active Boosts

52084 sc high unstaking before reward token removal leads to incorrect reward accrual on re addition

  • Report ID: #52084

  • Report Type: Smart Contract

  • Report severity: High

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol

  • Impacts:

    • Theft of unclaimed yield

    • Protocol insolvency

  • Submitted on Aug 7th 2025 at 19:59:16 UTC by @light279 for Attackathon | Plume Network (https://immunefi.com/audit-competition/plume-network-attackathon)

hashtag
#52084 [SC-High] Unstaking Before Reward Token Removal Leads to Incorrect Reward Accrual on Re-addition

hashtag
Description

hashtag
Brief / Intro

In the Plume staking system, if a user fully unstakes from a validator before a reward token is removed and later restakes after the token has been removed, user reward pointers are not correctly reinitialized for that historical token. If the removed token is re-added later, the stale user reward pointers cause rewards from the period when the user had no stake to be included in their claim, resulting in incorrect and inflated reward claims.

hashtag
Vulnerability Details

When a user calls StakingFacet::unstake, the system updates their reward data via PlumeRewardLogic.updateRewardsForValidator, setting:

  • $.userValidatorRewardPerTokenPaid

  • $.userValidatorRewardPerTokenPaidTimestamp

for all historical reward tokens (including those active at the time of unstake, T1). If a reward token is removed at T2, it is removed from the rewardTokens array but user metadata for that token is preserved (no deletion). When the user restakes at T3, _initializeRewardStateForNewStake() iterates only over the current rewardTokens array and does not initialize state for removed (historical) tokens. Thus the user's stored pointers for the removed token remain those set at T1.

If the token is re-added at T4 and the user later claims at T5, reward calculation uses the stale pointers (from T1) and includes rewards accrued from T1→T2, during which the user had no stake.

Functional call flow for claiming (simplified): RewardsFacet::claim(token,validatorId) => RewardsFacet::_processValidatorRewards(user, validatorId) => PlumeRewardLogic.updateRewardsForValidatorAndToken($, user, validatorId, token) => calculateRewardsWithCheckpoints(...) => _calculateRewardsCore(...)

Excerpt from _calculateRewardsCore(...) showing use of stale user pointers:

hashtag
Impact Details

  • Reward Overpayment: Users can claim unearned rewards for removed tokens corresponding to the period between their full unstake (T1) and the token removal (T2), despite having no stake during that time.

hashtag
Proof of Concept

1

hashtag
User stakes and earns some rewards

  • At time T0, user stakes 100 tokens on validator 1.

2

hashtag
User fully unstakes at time T1

This triggers updateRewardsForValidator(), which sets:

  • userValidatorRewardPerTokenPaid[0xUser][1][tokenA] to latest cumulative RPT.

  • userValidatorRewardPerTokenPaidTimestamp[0xUser][1][tokenA] = T1

3

hashtag
tokenA is removed at time T2

  • rewardRates[tokenA] = 0

  • tokenA is removed from rewardTokens array

  • A final checkpoint with rate 0 is written

4

hashtag
User restakes at time T3 (after tokenA was removed)

  • User calls stake/restake which calls _performStakeSetup.

  • Because the user's stake is zero, _initializeRewardStateForNewStake is called.

  • _initializeRewardStateForNewStake iterates only over current rewardTokens; tokenA is not present.

  • Therefore:

    • userValidatorRewardPerTokenPaid[0xUser][1][tokenA] remains unchanged (still set at T1).

    • userValidatorRewardPerTokenPaidTimestamp[0xUser][1][tokenA] remains unchanged (still T1).

Relevant code:

5

hashtag
tokenA is re-added at time T4

  • tokenA is pushed back into rewardTokens.

6

hashtag
User claims rewards at time T5

  • updateRewardsForValidatorAndToken(tokenA) is called.

  • calculateRewardsWithCheckpoints() -> _calculateRewardsCore() uses:

    • userValidatorRewardPerTokenPaidTimestamp = T1

    • userValidatorRewardPerTokenPaid = value at T1

Result: reward calculation includes T1 → T2 period even though user had no stake then, causing overpayment.

Previous51658 sc high yield distribution in batches let the same tokens collect rewards in multiple batches stealing yield from other usersNext52711 sc high in validatorfacet validator cannot claims commissions of removed tokens

Was this helpful?