52770 sc high unbounded gas consumption via stakeonbehalf manipulation

Submitted on Aug 13th 2025 at 02:21:23 UTC by @bl4ck4non for Attackathon | Plume Network

• Report ID: #52770

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol

• Impacts: Unbounded gas consumption

Description

Brief/Intro

An attacker can exploit the stakeOnBehalf function to artificially inflate a victim's validator association list, causing their withdrawal transactions to consume 75x more gas than necessary. This attack targets whale users who legitimately stake across multiple validators, forcing them to pay significantly increased gas fees for routine withdrawals. The root cause is that the withdrawal process iterates through all validators in a user's association list, including those added by attackers through minimal stakeOnBehalf calls.

Vulnerability Details

The withdrawal process iterates through all validators in a user's association list, regardless of whether the user has actual cooldowns with those validators.

A whale user legitimately stakes to multiple validators (e.g., 10 validators) and later unstakes, creating cooldowns with those validators. An attacker uses stakeOnBehalf to stake minimal amounts (just above minStakeAmount) on behalf of the victim across thousands of additional validators.

Example from the code: stakeOnBehalf:

function stakeOnBehalf(uint16 validatorId, address staker) external payable returns (uint256) {
    if (staker == address(0)) {
        revert ZeroRecipientAddress();
    }

    uint256 stakeAmount = msg.value;

    // Perform all common staking setup for the beneficiary
    bool isNewStake = _performStakeSetup(staker, validatorId, stakeAmount);

    // Emit events
    emit Staked(staker, validatorId, stakeAmount, 0, 0, stakeAmount);
    emit StakedOnBehalf(msg.sender, staker, validatorId, stakeAmount);

    return stakeAmount;
}

Each stakeOnBehalf call triggers addStakerToValidator, which appends the validator to the victim's userValidators array:

When the victim withdraws, _processMaturedCooldowns iterates through the entire (possibly inflated) userValidators array, performing expensive storage reads and checks on many validators that have no actual cooldowns:

Because the attacker's minimal stakes remain active, the malicious validators are not removed from the victim's userValidators list during cleanup, so the attack persists.

Impact Details

Economic impact on whale users who stake across multiple validators:

• Normal withdrawal: 200K gas ($6–12 at 20 gwei)

• Post-attack withdrawal: 15M gas ($450–900 at 20 gwei)

• Attack cost (attacker deposit): ~ $283 (example: 3000 × 0.01 PLUME × $0.09441)

This is around a 75x increase in gas cost and can cost victims thousands during network congestion. The attack is more effective during high gas periods when victims most want to exit.

References

Proof of Concept

Notes / Suggestions (kept minimal)

• The issue arises from appending validators to a user's userValidators array on any addStakerToValidator call, combined with iterating over that full array when processing cooldowns. Potential mitigations (not exhaustive) include:

  • Only add a validator to userValidators when the user has a non-zero stake or a non-zero cooldown amount, or

  • Track and iterate only active cooldown entries (e.g., maintain a separate list/map of validators with non-zero cooldowns), or

  • Add limits/guards to stakeOnBehalf (rate-limiting, minimum beneficiary checks, or privileged-only calls) to prevent mass inflation.

(Per instructions: no additional facts beyond the original report were added; suggestions are generic mitigation directions implicit from the vulnerability description.)