search
Active Boosts

52891 sc low staking and unstaking immediately an amount little less than the original staked amount leaves dust stake amounts in the system

Submitted on Aug 14th 2025 at 02:21:03 UTC by @WinSec for Attackathon | Plume Networkarrow-up-right

  • Report ID: #52891

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

Staking X amount of tokens and then unstaking immediately an amount equal to X - 1 or X - (minAmount - 1) allows anyone to leave a residual stake amount smaller than the minimum stake. This enables bots to spam with dust amounts, increasing the size of the validatorStakers array and complicating accounting. Additionally, the protocol intends that stakes below the minimum amount should not earn rewards, but these dust stakes will continue to earn rewards.

hashtag
Vulnerability Details

In stake, restake and restakeRewards functions:

    function _validateStakeAmount(
        uint256 amount
    ) internal view {
        PlumeStakingStorage.Layout storage $ = PlumeStakingStorage.layout();
        if (amount == 0) {
            revert InvalidAmount(0);
        }
        if (amount < $.minStakeAmount) {
            revert StakeAmountTooSmall(amount, $.minStakeAmount);
        }
    }

The above check ensures that the amount being staked is greater than or equal to the minStakeAmount. But this check can be bypassed by staking and then immediately unstaking an amount slightly smaller than the original stake. That leaves a dust amount (less than minStakeAmount) in the system. The unstake function lacks a check to prevent leaving such dust. The unstake function should ensure that if the amount remaining after unstaking would be less than the minimum stake amount, the function unstakes the whole amount instead of leaving dust.

hashtag
Impact Details

  • Dust amounts remain in the system, complicating accounting.

  • Allows bots to spam with dust stakes, unnecessarily growing validatorStakers.

  • Dust amounts may continue to earn rewards even though they are below the intended minimum stake.

hashtag
References

https://github.com/plumenetwork/contracts/blob/fe67a98fa4344520c5ff2ac9293f5d9601963983/plume/src/facets/StakingFacet.sol#L105

hashtag
Proof of Concept

1

hashtag
Step

User stakes X amount in the protocol by calling the stake function.

2

hashtag
Step

User immediately calls unstake.

3

hashtag
Step

User unstakes an amount equal to X - 1.

4

hashtag
Step

This leaves an amount equal to 1 wei (or another small dust amount) in the system.

5

hashtag
Step

The remaining dust amount is less than the min amount required for staking and thus remains as a dust stake while still potentially earning rewards.

Previous52896 sc low pause gate is present but no way to pauseNext52996 sc high users can claim rewards for newly added reward tokens even when the validator they staked for was inactive during some time interval

Was this helpful?