Jerms/fix restore streak

[yogurtandjam]

• emit currentStreak on spin complete
• restoreSTreak also sets last spin timestamp

[octane-security-app]

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

• Spin.sol: The SpinCompleted event now includes currentStreak, and restoreStreak updates lastSpinTimestamp.

---

🔗 Commit Hash: 70962a7

[Copilot]

Pull Request Overview

Adds current streak information to the SpinCompleted event and ensures admin streak restoration updates last spin timestamp.

• Extend SpinCompleted event with currentStreak parameter and emit it.
• Update restoreStreak and restoreStreaks to also set lastSpinTimestamp.
• No input validation added for new/changed behaviors.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Changing the SpinCompleted event signature (adding currentStreak) is a breaking change for off-chain consumers relying on the previous ABI. Consider adding a new event (e.g., SpinCompletedV2) and emitting both during a transition period, or clearly documenting the migration requirement.

[Copilot]

[nitpick] restoreStreak now also updates lastSpinTimestamp but the function name and (presumed) existing documentation suggest only streak restoration. Add a comment clarifying this side-effect or rename if broader state restoration is intended.

Suggested change

	function restoreStreak(address user, uint256 streak) external onlyRole(ADMIN_ROLE) {
	userData[user].streakCount = streak;
	userData[user].lastSpinTimestamp = block.timestamp;
	}
	/**
	* @notice Restores a user's streak count and also updates their lastSpinTimestamp to the current block timestamp.
	* This function has the side-effect of resetting the user's last spin time.
	*/
	function restoreStreak(address user, uint256 streak) external onlyRole(ADMIN_ROLE) {
	userData[user].streakCount = streak;
	userData[user].lastSpinTimestamp = block.timestamp;
	}
	/**
	* @notice Restores multiple users' streak counts and also updates their lastSpinTimestamp to the current block timestamp.
	* This function has the side-effect of resetting each user's last spin time.
	*/

[Copilot]

Missing validation that users and streaks arrays have equal length; a mismatch will either revert (out-of-bounds) or silently ignore extra streak entries. Add a require(users.length == streaks.length, 'Length mismatch') before the loop for clearer input validation.

[Copilot]

[nitpick] Similar to restoreStreak, this batch function now alters both streakCount and lastSpinTimestamp; add a comment explaining why timestamp is reset during restoration to avoid confusion for maintainers.

[octane-security-app]

Overview

Vulnerabilities found:	2
Severity breakdown:	1 Medium, 1 Low

Warnings found:	5

Detailed findings

plume/src/spin/Spin.sol

• Timestamp-dependent reward evaluation in Spin.determineReward/handleRandomness allows timing control to bias jackpot odds and payouts. See more
• Stale streakCount read before update in Spin.handleRandomness jackpot eligibility causes mis-awarded jackpot and protocol fund loss. See more

Warnings

plume/src/spin/Spin.sol

• Payout transfer revert in Spin.handleRandomness causes per-user startSpin lock due to pending flag rollback. See more
• Missing nonce validation/binding in Spin oracle integration causes user fee loss and reward misbinding. See more
• Missing address validation in Spin.initialize causes core spin DoS. See more
• uint8 week-number truncation in Spin.determineReward causes zero or unintended jackpot payouts. See more
• Missing array length check in Spin.handleRandomness causes pending spin DoS. See more

---

🔗 Commit Hash: 70962a7
🛡️ Octane Dashboard: All vulnerabilities