52436 sc low getaccruedcommission could return an inaccurate value

Submitted on Aug 10th 2025 at 17:06:50 UTC by @a16 for Attackathon | Plume Network

Report ID: #52436
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Impacts:
- Contract fails to deliver promised returns, but doesn't lose value
- Temporary freezing of funds for at least 1 hour

Description

Brief / Intro

The getAccruedCommission() function is supposed to return the amount of commission accrued by a validator for a single token, but it does not account for changes that occurred since the last on-chain update.

Vulnerability Details

Commission accrues over time as a percentage of rewards. The public function getAccruedCommission() returns validatorAccruedCommission[validatorId][token], but the true accrued commission (as computed in requestCommissionClaim()) may be larger because requestCommissionClaim() updates validatorAccruedCommission[validatorId][token] by calling _settleCommissionForValidatorUpToNow(), which internally calls updateRewardPerTokenForValidator() and increments validatorAccruedCommission[validatorId][token]. If time has passed since the last update, the value returned by getAccruedCommission() can be considerably smaller than the actual amount that would be settled on-chain.

Impact Details

Validators calling this public function might get an incorrect impression of the amount of commission accrued so far, leading them to delay claiming rewards or otherwise misjudge available commission.

Proof of Concept

Observer checks accrued commission

Validator 1 calls getAccruedCommission() which returns a relatively low value. Validator 1 decides to wait another day before checking again.

Value appears unchanged

Validator 1 calls getAccruedCommission() again and still sees the same low value, because no on-chain update has run to settle accrued commission.

Claim reveals higher settled amount

Validator 1 calls requestCommissionClaim() and observes that the amount actually received is larger than what getAccruedCommission() previously reported, since requestCommissionClaim() triggers settlement logic that updates the accrued commission up to now.

Previous51455 sc low inflated earned ui rewards when validator stake is zero due to missing totalstaked guard in view logic Next52923 sc critical partial fill traps source token residual inside the wrapper and leaves unsafe residual allowance

Was this helpful?

hashtagDescription

hashtagBrief / Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagProof of Concept

hashtagObserver checks accrued commission

hashtagValue appears unchanged

hashtagClaim reveals higher settled amount