search
Active Boosts

52165 sc high user can t claim reward erc20 tokens since rewards transfer will revert

Submitted on Aug 8th 2025 at 12:24:06 UTC by @WinSec for Attackathon | Plume Networkarrow-up-right

  • Report ID: #52165

  • Report Type: Smart Contract

  • Report severity: High

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/RewardsFacet.sol

  • Impacts:

    • Theft of unclaimed yield

hashtag
Description

hashtag
Brief/Intro

When users call claim it calls _finalizeRewardClaim which further calls _transferRewardFromTreasury which finally calls distributeReward on the PlumeStakingRewardTreasury contract. That call can revert due to this check in the treasury:

if (!_isRewardToken[token]) {
    revert TokenNotRegistered(token);
}

hashtag
Vulnerability Details

Reward tokens are added/removed in the RewardFacet contract via addRewardToken / removal functions and that facet maintains a mapping:

When tokens are removed the mapping is set to false. However, the treasury contract uses a different mapping (_isRewardToken) and enforces the check above before distributing ERC20 rewards. If a token was removed in the RewardFacet but not registered in the treasury's _isRewardToken mapping (or vice versa), attempting to claim rewards will revert.

Relevant code paths:

  • RewardFacet ultimately calls:

  • PlumeStakingRewardTreasury's ERC20 distribution branch:

Because the treasury checks its own _isRewardToken mapping, tokens added/removed only in RewardFacet may not be reflected in the treasury, causing a revert during claim.

The intended design appears to add reward tokens via the RewardFacet; therefore the treasury-side token existence check is unnecessary for ERC20 distribution (this is supported by the fact the native token branch doesn't perform an equivalent check).

hashtag
Impact Details

Users won't be able to claim ERC20 reward tokens if the treasury's _isRewardToken mapping does not mark the token as registered — resulting in denial of reward claims and potential loss/theft of unclaimed yield.

hashtag
References

https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/PlumeStakingRewardTreasury.sol#L185-L187

hashtag
Proof of Concept

1

hashtag
Add reward token in RewardFacet

RewardToken is added in the RewardFacet:

2

hashtag
User accrues rewards

A user accrues some rewards over time for that token.

3

hashtag
RewardToken removed in RewardFacet

The token is removed in the RewardFacet:

4

hashtag
User calls claim()

User calls claim():

This calls:

which calls the treasury:

The treasury will revert because the token isn't registered in its _isRewardToken mapping:

Previous52468 sc insight dos in batch yield distribution due to cross batch state inconsistencyNext51951 sc low a global blocking check in claimprize prevents individual winner claims until all winners are drawn

Was this helpful?