# 50487 sc low cross campaign jackpot denial due to state pollution **Submitted on Jul 25th 2025 at 10:19:28 UTC by @IronsideSec for** [**Attackathon | Plume Network**](https://immunefi.com/audit-competition/plume-network-attackathon) * **Report ID:** #50487 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** Theft of unclaimed yield ## Description ### Brief / Intro The `Spin.sol` contract suffers from a state pollution vulnerability where `lastJackpotClaimWeek` is not reset when a new campaign starts via `setCampaignStartDate()`. This can cause legitimate users in subsequent campaigns to be denied their jackpot prizes if they win a jackpot in a week number that was already used by a previous campaign's jackpot winner. Losses can be up to 100,000 PLUME tokens per affected user (final week 12 jackpot). See the Recommended Fix below for an easy mitigation. ### Vulnerability Details {% stepper %} {% step %} ### Campaign 1 User A wins a jackpot in week 5 → `lastJackpotClaimWeek = 5`. No further jackpots are won until campaign end. {% endstep %} {% step %} ### Campaign Transition Admin calls `setCampaignStartDate(newDate)` → `campaignStartDate` updates but `lastJackpotClaimWeek` remains 5 (stale). {% endstep %} {% step %} ### Campaign 2 During Campaign 2, no jackpots for first 4 weeks. On week 5, User B legitimately wins: * `getCurrentWeek() = 5` * `currentWeek == lastJackpotClaimWeek` → jackpot denied (reward becomes "Nothing") {% endstep %} {% endstepper %} The proof-of-concept test demonstrates this scenario: * Campaign 1 jackpot in week 5: ✅ 20,000 PLUME awarded * Campaign 2 jackpot in week 5: ❌ 0 PLUME awarded (denied) ### Root Cause - Incomplete State Reset The admin function that starts a new campaign updates `campaignStartDate` but does not reset `lastJackpotClaimWeek`, leaving stale state that is used by the jackpot validation logic. Vulnerable setter: ```solidity // attackathon-plume-network/plume/src/spin/Spin.sol:479-483 function setCampaignStartDate( uint256 start ) external onlyRole(ADMIN_ROLE) { campaignStartDate = start == 0 ? block.timestamp : start; // ❌ BUG: lastJackpotClaimWeek is NOT reset here } ``` Vulnerable jackpot validation: ```solidity // attackathon-plume-network/plume/src/spin/Spin.sol:246-249 if (keccak256(bytes(rewardCategory)) == keccak256("Jackpot")) { uint256 currentWeek = getCurrentWeek(); if (currentWeek == lastJackpotClaimWeek) { // ❌ Uses stale data from previous campaign userDataStorage.nothingCounts += 1; rewardCategory = "Nothing"; rewardAmount = 0; emit JackpotAlreadyClaimed("Jackpot already claimed this week"); ``` Week calculation: ```solidity // attackathon-plume-network/plume/src/spin/Spin.sol:207-209 function getCurrentWeek() public view returns (uint256) { return (block.timestamp - campaignStartDate) / 7 days; } ``` ## Impact Details * Direct per-user loss: up to 100,000 PLUME tokens (week 11/12 jackpot). * Affected users: users with long streaks (13+ day streaks) who legitimately earn jackpots. * Spin fee loss: 2 PLUME per denied spin (no refund mechanism). * Systemic: weeks where jackpots were previously claimed become blocked across campaigns if the same week number occurs again; this effectively lets earlier campaigns "reserve" jackpot weeks for future campaigns, reducing availability and harming high-value users disproportionately. Severity multipliers: * Users cannot control or predict this. * Affects legitimately earned jackpots. * No recovery mechanism for denied jackpots. * Cumulative across campaigns. ## Recommended Fix Reset `lastJackpotClaimWeek` when starting a new campaign so prior campaign data cannot block jackpot claims in the new campaign. Suggested change: ```solidity function setCampaignStartDate(uint256 start) external onlyRole(ADMIN_ROLE) { campaignStartDate = start == 0 ? block.timestamp : start; lastJackpotClaimWeek = 999; // Reset to initial state for new campaign } ``` (Use an appropriate sentinel value consistent with the contract's initialization behavior — e.g., a very large number or the original initial value used in contract deployment.) ## Proof of Concept Gist with PoC and test steps: Steps (reproduced from the Gist) shown as a stepper: {% stepper %} {% step %} User1 spins daily for 7 days in Campaign 1 to build streak. {% endstep %} {% step %} User1 hits jackpot in week 5 of Campaign 1 → `lastJackpotClaimWeek = 5`. Campaign 1 ends. {% endstep %} {% step %} Admin starts Campaign 2 with `setCampaignStartDate()` → BUG: `lastJackpotClaimWeek` still = 5. {% endstep %} {% step %} User2 spins daily for 7 days in Campaign 2 to build streak. {% endstep %} {% step %} User2 hits jackpot in week 5 of Campaign 2 (winning RNG). {% endstep %} {% step %} Contract checks: `currentWeek (5) == lastJackpotClaimWeek (5)` → TRUE. {% endstep %} {% step %} Contract emits `JackpotAlreadyClaimed` and converts reward to "Nothing". {% endstep %} {% step %} User2 loses the 2 PLUME spin fee and gets 0 payout despite winning RNG. {% endstep %} {% step %} Fix: Reset `lastJackpotClaimWeek` in `setCampaignStartDate()` function. {% endstep %} {% endstepper %} ## References * Vulnerable Function: [setCampaignStartDate() in Spin.sol:479-483](https://github.com/plumenetwork/contracts/blob/fe67a98fa4344520c5ff2ac9293f5d9601963983/plume/src/spin/Spin.sol#L457-L461) * Jackpot Validation: [handleRandomness() in Spin.sol](https://github.com/plumenetwork/contracts/blob/fe67a98fa4344520c5ff2ac9293f5d9601963983/plume/src/spin/Spin.sol#L225-L232) * Week Calculator: [getCurrentWeek() in Spin.sol:207-209](https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/spin/Spin.sol#L197-L199) ## Link to Proof of Concept --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/plume-or-attackathon/50487-sc-low-cross-campaign-jackpot-denial-due-to-state-pollution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.