# #39675 \[BC-Critical] Reward Exploitation via Unvalidated Node Status in "initRewardTX" **Submitted on Feb 4th 2025 at 16:21:52 UTC by @bountyhunter2048 for** [**Audit Comp | Shardeum: Core III**](https://immunefi.com/audit-competition/audit-comp-shardeum-core-iii) * **Report ID:** #39675 * **Report Type:** Blockchain/DLT * **Report severity:** Critical * **Target:** * **Impacts:** * Direct loss of funds ## Description ## Brief/Intro A vulnerability in the `initRewardTX` function allows malicious actors to claim rewards without running active validator nodes. The function fails to verify if nominee accounts are active network nodes. ## Vulnerability Details It is confusing that there are unfixed known issues in the `tags/bugbounty` of the Shardeum validator codebase. It makes security researchers to spend time looking back into known issues whenever a bug is found in the codebase. IMHO, Sharduem should start a new bounty only after previously known bugs are fixed. Anyway I cannot find this exact bug in the known issues. There is a close known issue in `claimRewardTX` with the name of "Vulnerability in Reward Claim Process Allows Reward Time Manipulation" in the [Known before pp1.pdf](https://drive.google.com/file/d/1H6o8IPtrlTDvr_cfTRhvgr1Vvh4EYwb8/view?pli=1). However, I think this bug I found is a bit different because the known issue assumes that the node actually went active and served in the network. However, this bug is in `initRewardTX` and it basically allows anyone to earn lots of free SHM rewards without really running validators. Well, he just needs one bad validator with the patch file I provided. The bug is that the validate function of `initRewardTX` never checks if the nominee (node account) is an active node in the network. So, a malicious actor can do the following exploit: 1. start his bad node and wait until it becomes active 2. create a wallet and fund it 3. stake a random nominee using this wallet 4. visit `http://:/init-reward?nominee=`. He can automate this. 5. Redo step 2, 3 and 4 with different wallet+nominee as many time he can invest (due to staking). He can use the script I provided in the gist. 6. Wait until his bad node is close to being removed from the network. Actually he can earn more if he has other nodes in the network or wait until his bad node becomes active again after rotated out. 7. visit `http://:/claim-reward?nominee=` for each nominee. He can automate this too. 8. submit unstake txs for all of his fake nominee and earn rewards without actually running the nodes. ## Impact Details Let's assume he staked 100 fake nodes in a 1280 nodes network and his bad node participated 1280 cycles (assume each node is rotated out per cycle). Assume that Shardeum rewards 1 SHM for an hour of validating. His net profit per node is *(1280 - 2 \* txFee) = 1279.98 SHM*. Total profit will be *127998 SHM* and that's a lot of SHM stolen from the network. He can steal more if he can invest more in initial staking or wait longer before doing `/claim-reward`. ## References Gist: ## Link to Proof of Concept ## Proof of Concept ## Proof of Concept Please see the patch file I provided in the gist. It simply exposes 2 endpoints of `/init-reward` and `/claim-reward` that will inject `initRewardTX` or `claimRewardTX` for the given nominee account. Please use the hardhat scripts (from the gist) to automate the stake and unstake txs. I will not do a video demo for this because it is a straightforward exploit but if Shardeum needs it I can demo a video. Gist: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/shardeum-core-iii/39675-bc-critical-reward-exploitation-via-unvalidated-node-status-in-initrewardtx.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.