# 52104 sc high removed reward tokens block validator commission claims **Submitted on Aug 8th 2025 at 00:57:27 UTC by @jovi for** [**Attackathon | Plume Network**](https://immunefi.com/audit-competition/plume-network-attackathon) * Report ID: #52104 * Report Type: Smart Contract * Report severity: High * Target: Impacts: * Temporary freezing of funds for at least 24 hours * Theft of unclaimed yield ## Description Both `ValidatorFacet.requestCommissionClaim()` and `ValidatorFacet.finalizeCommissionClaim()` require that the commission token is still active via the `_validateIsToken` modifier. When governance calls `RewardsFacet.removeRewardToken()`, the token’s `isRewardToken` flag is cleared while all previously-accrued commission remains recorded. Every future claim therefore reverts, freezing the funds and stripping validators of their earnings. ## Details ### How commissions are supposed to work {% stepper %} {% step %} ### Each validator accrues commission Each validator earns a slice of every active reward token; the amount is tracked to be claimed as commission. {% endstep %} {% step %} ### Claim flow When the validator admin is ready, they call `requestCommissionClaim()` and later `finalizeCommissionClaim()` to receive the payout. {% endstep %} {% endstepper %} Both claim functions enforce the same modifier: ```solidity modifier _validateIsToken(address token) { if (!PlumeStakingStorage.layout().isRewardToken[token]) { revert TokenDoesNotExist(token); } _; } ``` As long as `isRewardToken[token]` is `true`, claims succeed. If the flag is ever `false`, the call reverts before any business logic executes. ### What happens during token removal Governance (or the Reward Manager) can retire a reward token: ```solidity function removeRewardToken(address token) external … { … $.isRewardToken[token] = false; // ① mark as inactive $.rewardRates[token] = 0; // stop further accrual … } ``` Once step ① runs: * The next call to `requestCommissionClaim(..., token)` or `finalizeCommissionClaim(..., token)` hits `_validateIsToken` and reverts with `TokenDoesNotExist`. * The commission becomes unclaimable. ## Impact {% hint style="danger" %} * Loss of unclaimed commission for all validators when any reward token is removed. * Governance must reactivate a reward token for validators to be able to claim. {% endhint %} ## Proof of Concept {% stepper %} {% step %} ### Initial state * Deploy contracts. * Add reward token `TOKEN_A`; validators accrue commission in `TOKEN_A`. * Validator V has `validatorAccruedCommission[V][TOKEN_A] = 1_000`. {% endstep %} {% step %} ### Governance action * Call `RewardsFacet.removeRewardToken(TOKEN_A)`. {% endstep %} {% step %} ### Attempted claim * V calls `ValidatorFacet.requestCommissionClaim(V_ID, TOKEN_A)` → reverts `TokenDoesNotExist`. {% endstep %} {% step %} ### Observation * Storage still shows `validatorAccruedCommission[V][TOKEN_A] == 1_000`, but there is no callable function that will ever succeed, so the funds are frozen. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/plume-or-attackathon/52104-sc-high-removed-reward-tokens-block-validator-commission-claims.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.