53025 sc high commission on removed tokens is unclaimable

Submitted on Aug 14th 2025 at 17:20:20 UTC by @axolot for Attackathon | Plume Network

Report ID: #53025
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol
Impacts:
- Theft of unclaimed yield

Description

Brief/Intro

After a reward token is removed via removeRewardToken, any already accrued validator commission for that token becomes unclaimable. requestCommissionClaim rejects the token because _validateIsToken currently requires isRewardToken[token] == true. Commission is hence stuck.

Vulnerability Details

Removing a token sets $.isRewardToken[token] = false and writes a 0-rate checkpoint. Accrued commission in $.validatorAccruedCommission[validatorId][token] remains.

But ValidatorFacet.requestCommissionClaim enforces _validateIsToken, which will revert for such token:

   function requestCommissionClaim(
        uint16 validatorId,
        address token
    )
        external
        onlyValidatorAdmin(validatorId)
        nonReentrant
        _validateValidatorExists(validatorId)
        _validateIsToken(token) //@audit - will revert here
    {
      ...
    }

    ...

    modifier _validateIsToken(
        address token
    ) {
        if (!PlumeStakingStorage.layout().isRewardToken[token]) {
            revert TokenDoesNotExist(token);
        }
        _;
    }

This is unexpected as the token is still a historical reward token, and accrual happened until the removal point: according to the README https://github.com/plumenetwork/contracts/blob/main/plume/README.md?utm_source=immunefi#reward-token-lifecycle--historical-tokens

Removing a token (removeRewardToken) does not delete checkpoints. Instead it:
Records tokenRemovalTimestamps[token] = block.timestamp so future calculations cap at this moment.
Forces a final zero-rate checkpoint for each validator, guaranteeing no further accrual.
Leaves all historical checkpoints intact so users can still claim previously-earned rewards.
Users can therefore continue to claim even after a token is no longer active. View/claim helpers automatically fall back to historical calculations when isRewardToken[token] == false but isHistoricalRewardToken[token] == true.

There is no alternate path to claim that pre-removal commission.

Impact Details

The impact is freezing of the pre-removal validator commission (until the token is re-added as a reward, which defeats the purpose of removing it in the first place). This can be large for token emissions that lasted for a long time until removal.

Note that token removal is a normal operation in the reward lifecycle and does not require malicious operation from the admin.

Mitigation

Allow commission claims for historical tokens: replace the _validateIsToken call in requestCommissionClaim with a check like:

require(isRewardToken[token] || isHistoricalRewardToken[token]);

and ensure accrual calculations are capped at the timestamp the reward token is removed (i.e., use tokenRemovalTimestamps[token] when computing historical accruals).

Proof of Concept

PoC (steps - no code)

Run emissions for a token T long enough for a validator to accrue non-zero $.validatorAccruedCommission[id][T].

Admin calls removeRewardToken(T).

Validator admin calls requestCommissionClaim(id, T). It reverts because _validateIsToken requires isRewardToken[T] == true.

There is no alternate route to claim the already-accrued amount. Funds are permanently stuck.

Previous53028 sc high there is an asymmetric rounding issue that is can cause a theft of unclaimed yield in reward or commission accounting Next53022 sc critical funds are not properly refunded to user which calls for swap on the dex aggregator

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagMitigation

hashtagProof of Concept

hashtagPoC (steps - no code)