52390 sc high validateistoken blocks validators from claiming earned rewards from removed tokens

Submitted on Aug 10th 2025 at 12:01:48 UTC by @kaysoft for Attackathon | Plume Network

Report ID: #52390
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Impacts:
- Temporary freezing of funds for at least 24 hours

Description

Brief/Intro

The _validateIsToken(...) modifier reverts for a reward token that has been removed. The requestCommissionClaim(...) function uses the _validateIsToken(...) modifier which will cause unclaimed rewards to revert for a token that has been removed.

Vulnerability Details

The requestCommissionClaim(...) has a _validateIsToken(...) that immediately reverts if the reward token has been removed. Pending reward tokens for a removed token cannot be claimed by validators.

File: ValidatorFacet.sol
 modifier _validateIsToken(
        address token
    ) {
        if (!PlumeStakingStorage.layout().isRewardToken[token]) {
            revert TokenDoesNotExist(token);
        }
        _;
    }

Instead of reverting immediately in the above logic, check for unclaimed earned commissions like the RewardsFacet.sol#_validateTokenForClaim(...).

function requestCommissionClaim(
        uint16 validatorId,
        address token
    )
        external
        onlyValidatorAdmin(validatorId)
        nonReentrant
        _validateValidatorExists(validatorId)
        _validateIsToken(token)//@audit-issue validator cannot claim a token that has been removed
    {
        PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();
        PlumeStakingStorage.ValidatorInfo storage validator = $.validators[validatorId];

        if (!validator.active || validator.slashed) {
            revert ValidatorInactive(validatorId);
        }

        // Settle commission up to now to ensure accurate amount
        PlumeRewardLogic._settleCommissionForValidatorUpToNow($, validatorId);

        uint256 amount = $.validatorAccruedCommission[validatorId][token];
        if (amount == 0) {
            revert InvalidAmount(0);
        }
        if ($.pendingCommissionClaims[validatorId][token].amount > 0) {
            revert PendingClaimExists(validatorId, token);
        }
        address recipient = validator.l2WithdrawAddress;
        uint256 nowTs = block.timestamp;
        $.pendingCommissionClaims[validatorId][token] = PlumeStakingStorage.PendingCommissionClaim({
            amount: amount,
            requestTimestamp: nowTs,
            token: token,
            recipient: recipient
        });
        // Zero out accrued commission immediately
        $.validatorAccruedCommission[validatorId][token] = 0;

        emit CommissionClaimRequested(validatorId, token, recipient, amount, nowTs);
    }

Impact Details

Validators cannot claim pending earned reward tokens for a removed reward token. This happens if the reward token was removed before the validator calls the requestCommissionClaim(...) function. All rewards earned up to the point of reward token removal before a validator calls requestCommissionClaim(...) are blocked.

Severity: High — Temporary freezing of funds for at least 24 hours.

Recommendation

Implement a pending reward check for a removed token when requestCommissionClaim(...) function is called instead of the reverting that is done in the _validateIsToken(...).

Refer to RewardsFacet.sol#_validateTokenForClaim(...) as an example of checking for pending/earned rewards for removed tokens prior to reverting.

Proof of Concept

Setup

Admin deploys PlumeStaking contract and adds 2 reward tokens.
Bob has validator 1 on PlumeStaking.
Bob has earned 100 Plume reward tokens but has not requested claiming them with the requestCommissionClaim(...) function.

Trigger

Admin removes Plume token from reward tokens.
Bob calls the requestCommissionClaim(...) function to start the claiming process of his earned 100 Plume reward tokens but the transaction reverts due to the _validateIsToken(...) modifier.

Result

Bob cannot claim his earned 100 Plume reward tokens.

References

Target file: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Suggested reference: RewardsFacet.sol#_validateTokenForClaim(...) (used as suggested behaviour)

Previous50887 sc insight arcotokenpurchase purchasemade event mislabels payment amount as pricepaid instead of unit price Next51882 sc low unnecessary claiming restriction in raffle contract prevents winners from claiming prizes until all winners are drawn

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagRecommendation

hashtagProof of Concept

hashtagSetup

hashtagTrigger

hashtagResult

hashtagReferences

Description

Brief/Intro

Vulnerability Details

Impact Details

Recommendation

Proof of Concept

Setup

Trigger

Result

References