search
Active Boosts

50275 sc high eligible user loses jackpot

Submitted on Jul 23rd 2025 at 09:04:01 UTC by @shadowHunter for Attackathon | Plume Networkarrow-up-right

  • Report ID: #50275

  • Report Type: Smart Contract

  • Report severity: High

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Spin.sol

  • Impacts:

    • Theft of unclaimed yield

hashtag
Description

hashtag
Brief/Intro

Any spin initiated before the start of Week 12 is eligible for the jackpot. However, if a user spins X seconds before the Week 12 cutoff but the Supra oracle callback arrives at—or after—the start of Week 12, the user does not receive the jackpot, even when the random result would otherwise qualify.

hashtag
Vulnerability Details

See the Proof of Concept section below.

hashtag
Impact Details

User will lose jackpot even when they were qualified.

hashtag
Recommendation

Week should be calculated from the spin time and not the callback time.

hashtag
Proof of Concept

1

hashtag
Scenario setup

  • User A calls startSpin() just before the end of Week 11, specifically at:

  • This makes User A eligible for a jackpot, since jackpot prizes are configured as:

2

hashtag
Oracle delay

  • The Supra oracle processes the random number after some delay Y, where:

  • The callback therefore happens during Week 12.

3

hashtag
Outcome and conditions

  • Assume:

    • The returned random number qualifies for a jackpot.

    • The user has the required streak.

  • Still, the user won't receive a jackpot because weekNumber is now 12 and:

4

hashtag
Relevant code snippet

Problem: Even though the spin was valid during Week 11, the reward is denied due to the delayed callback pushing weekNumber into Week 12, where no jackpot prize is configured.

Previous51909 sc medium inconsistent commission claim logic denies legitimate claims for inactive validatorsNext52424 sc high there is a retroactive commission miscalculation in plumerewardlogic

Was this helpful?