Plume is a public, EVM-compatible blockchain optimized for the rapid adoption and demand-driven integration of real world assets.

Plume Network Academy

Explore Plume's EVM-compatible blockchain designed for tokenizing real-world assets (RWAs). Access technical guides, smart wallet architecture, staking protocols, and compliance tools to build and interact with the RWAfi ecosystem.

What is Plume?

Learn how Plume tokenizes real-world assets like real estate and commodities, making them tradable and accessible on the blockchain.

What is RWA token?

Tokenization and RWA management are the main tasks of Plume network. The Plume architecture shows how the core components - Arc, Smart Wallets and Nexus - are interconnected. Together they provide diverse asset classes, compliance and facilitating data integration.

Plume's architecture

Plume 101

Explore PlumeStaking, a flexible staking architecture built on the Diamond standard. It supports multiple validators, reward distribution, and a cooling period for unstaked tokens, organized into modular facets for access control, staking, rewards, and management.

Plume Staking Contracts

Discover how Plume integrates smart wallet functionality directly into EOAs using a customized go-ethereum client, enabling features like gasless transactions and user-defined extensions without relying on third-party providers.

Plume Smart Wallets

Explore Nest's permissionless staking platform, enabling users to earn institutional-grade yields by depositing stablecoins into vaults backed by tokenized real-world assets.

Nest: RWA Staking Protocol

Plume Contracts

Bringing real-world data onchain has always been a challenge: latency, update frequency, and reliability. Plume Nexus tackles this by offering a fast, efficient infrastructure for real-time data delivery directly to smart contracts.

Nexus: Real-World Data Integration

Compare Plume and Ethereum on fees, block structure, and smart contract behavior.

Plume vs Ethereum

Explore Plume's testnet details including RPC endpoints and Chain ID from the official documentation.

Explorer and RPC

Learn about Plume's dual-layer finality system ensuring transaction irreversibility.

Block Finality

Learn how Plume supports on-chain KYC attestations through user-selected third-party identity providers.

KYC Compliance

Understand how Plume uses Forta Firewall for ongoing AML monitoring and detection of suspicious activity.

AML Screening

Plume Network

Step-by-step guide to deploying and verifying smart contracts on the Plume testnet with Foundry, including setup, sample code, and RPC configuration.

How to run Foundry Tests

Step-by-step guide to spinning up a local Plume node for testing and research.

How to run a Node

Running Proof of Concept (PoC)

Trail of Bits audit covered Gov token, Smart Wallet contract, RWA token and RWA yield token. Among other things go-ethereum fork for Plume was audited.

Multi: Trail of Bits audit

Pashov Audit Group security review of Nucleus Boring Vault.

Pashov Audit Group

Audits & Known Issues

Find quick answers to common questions about Plume's ecosystem and features.

A quick guide to essential terms in real-world asset tokenization, from smart contracts to fractional ownership.

Tokenized RWAs: Key Terms for Beginners

Plume is building a holistic ecosystem on top of a purpose-built L1 blockchain to make our RWAfi vision a reality, using tokenized RWAs as the backbone of our ecosystem.

Manifesto

Additional resources such as audits, documentation, and more information about Plume Network ecosystem.

Additional Resources

Technical FAQ

Attackathons are education-based bug hunting competitions where security researchers compete over a reward pool by submitting impactful bugs in the project's code. Here's how they work:

**Before the Attackathon**<br/> Immunefi works with the project to host a security-focused education period, providing top tier education and support to security researchers.

**During the Attackathon**<br/> Security researchers experience optimal hunting conditions, with direct project support, responsiveness, and duplicate rewards.

**After the Attackathon**<br/> Immunefi spotlights the security accomplishments with a custom leaderboard, Attackathon Summary Report, Bugfix Reviews, and Individual Achievement Cards.

Ultimately, Attackathons serve to secure projects, develop their security ecosystem, and create new opportunities for security researchers.

What's an Attackathon?

TellerWithMultiAssetSupportPredicateProxy.sol - [138]

DexAggregatorWrapperWithPredicateProxy.sol - [301]

__Insight Reporting__

Insight reports may be reported to this program and do not require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).

__Dispute Resolution__

If there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.

__Asset Accuracy Assurance__

- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

__Private Known Issues Reward Policy__

- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

__Primacy of Impact vs Primacy of Rules__

- Plume Network adheres to the Primacy of Rules, which means that the whole Attackathon program is run strictly under the terms and conditions stated within this page.

__KYC Requirement__

Plume Network requires KYC information to pay for bug submissions. The following information will be required:
- Full name 
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

__Responsible Publication__

- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:
   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.

- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.

__Feasibility Limitations__

- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.

__Immunefi Standard Badge__

- By adhering to Immunefi’s best practice recommendations, Plume Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).

Plume is a public, EVM-compatible blockchain optimized for the rapid adoption and demand-driven integration of real world assets (RWAs).

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Protocol insolvency

Theft of unclaimed yield

Temporary freezing of funds for at least 24 hours

Theft of gas

Smart contract unable to operate due to lack of token funds

Contract fails to deliver promised returns, but doesn't lose value

Unbounded gas consumption

Temporary freezing of funds for at least 1 hour

**Build commands, Test commands, and instructions on how to run them:**

- [https://github.com/plumenetwork/contracts/blob/main/plume/README.md](https://github.com/plumenetwork/contracts/blob/main/plume/README.md) - Staking
- [https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md](https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md) - Daily Spin
- [https://github.com/plumenetwork/contracts/blob/main/arc/README.md](https://github.com/plumenetwork/contracts/blob/main/arc/README.md) - Arc Token

**Previous Audits**

Plume Network’s completed audit reports can be found at [https://github.com/plumenetwork/contracts/blob/main/plume/audit/immunefi.pdf](https://github.com/plumenetwork/contracts/blob/main/plume/audit/immunefi.pdf) & [https://github.com/plumenetwork/contracts/blob/main/plume/audit/ottersec.pdf](https://github.com/plumenetwork/contracts/blob/main/plume/audit/ottersec.pdf). Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.

**Public Disclosure of Known Issues**

Bug reports for publicly disclosed bugs are not eligible for a reward. 
- None

**Is this an upgrade of an existing system? If so, which? And what are the main differences?**

No – from the security-reviewer’s perspective this should be treated as a fresh, stand-alone system.

**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**

- ERC-20 –
     - The native stake/reward token $PLUME functions like an ERC-20 (plus an “ETH-style” 0xEeee… sentinel for native transfers).
     - Any ERC-20 can be added as a reward token via addRewardToken.
- No support for ERC-721, ERC-777, ERC-1155 in the staking contracts themselves.

**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**

- The bug requires privileged roles (TIMELOCK_ROLE / ADMIN_ROLE) to mis-configure a contract in a way that is already disallowed by policy.
- The issue is a gas-optimisation or low-severity DOS that does not cause loss of funds or permanent unavailability.
- Attacks that rely on an external system (e.g. the treasury implementation, oracle feeds, validators’ off-chain behaviour) operating maliciously within their allowed privileges.
- Issues that only affect test / script code or out-of-scope directories.
- Findings that depend on the administrator intentionally doing things.

**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**

The addresses holding the following roles are considered trusted, and their actions, when performed within the defined capabilities of their roles, are out of scope:
- ADMIN_ROLE / TIMELOCK_ROLE: The system's highest-level administrators.
- VALIDATOR_ROLE: The role responsible for adding and removing validators from the set.
- REWARD_MANAGER_ROLE: The role responsible for managing reward tokens and their emission rates.
- l2AdminAddress (Validator Admin): The address that manages a specific validator's commission and other settings.

**What external dependencies are there?**

The project has the following key external dependencies:
- solidstate-solidity: Used for the core Diamond Proxy architecture.
- @openzeppelin/contracts-upgradeable: Used for standard, secure, and upgradeable components like ReentrancyGuardUpgradeable and SafeERC20.

**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**

- https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md <- Daily Spin & Raffle Contracts high level overview
- https://github.com/plumenetwork/contracts/tree/main/plume <- Plume’s staking contracts overview
- https://github.com/plumenetwork/contracts/tree/main/arc <- Arc explanations

__Reward Terms__

Rewards are distributed among SRs according to Immunefi’s [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants. 

Rewards are denominated in USD and distributed in USDC on Ethereum.

The reward pool is determined by the greatest severity bug found.

- A Critical is found - **$200,000 USD**
- A High is found - **$150,000 USD**
- A Medium is found - **$100,000 USD**
- A Low is found 	- **$50,000 USD**
- If none of the above conditions apply then the reward pool is - **$30,000 USD**

Private known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.

__Code Freeze Assurance__

Code of the assets in scope is frozen while the program is live.

Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.

The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.

__Insight Rewards Payment Terms__

*Insight Rewards*: Portion of the Rewards Pool

*The "Insight" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. "Insights" underscores our commitment to valuing all types of contributions that contribute to a more secure environment. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)

**Duplicates of Insight reports are not eligible for a reward.**

__Proof of Concept (PoC) Requirements__

For this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.
For unclear reports or to resolve disputes Immunefi may still require a runnable PoC.Read more about it in [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)

Attackathon | Plume Network

Status

Status

Leaderboard is Empty