-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lucky Strike #100
Comments
@luckystrikeico We provide free audit for contract developer. Please provide web site of project with contact email on it. |
@yuriy77k The website is still in development stage, but I can confirm that I’m the contract developer by sending a sum of ETH from the address that is specified on etherscan as the contract creator to your address. |
@yuriy77k upd: |
@luckystrikeico Thank you. Request approved. |
Auditing time 4 days |
@MrCrambo assigned. |
@luckystrikeico you can pay for priority audit. Send 116270 CLO to 0x74682Fc32007aF0b6118F259cBe7bCCC21641600 |
auditing time 3 days |
@RideSolo assigned |
Auditing time: ~ 7 days. |
@danbogd assigned |
Hi @yuriy77k, |
1. SummaryLuckyStrike Project smart contract security audit report performed by Callisto Security Audit Department 2. In scope3. FindingsIn total, 8 issues were reported including:
No critical security issues were found. 3.1. Fallback functionSeverity: mediumDescriptionUsers might not understand the sales functionality and deposit ether directly to contract like most ICO does and not get tokens. The token minting is done using Code snippetRecommendationOnly 3.2. Truncated Dividends ValueSeverity: mediumDescription
Code snippethttps://gist.github.com/yuriy77k/8111757d30637066b3b4bdb60b3525d0#file-luckystriketokens-sol-L168 3.3. Owner WithdrawalSeverity: lowDescription
The only way that this function is useful is if ether is sent to the contract through the fallback function, and as highlighted before the fallback function should be removed. Code snippet3.4. Users Ether Loss (Invest & Play)Severity: lowDescriptionIf the amount of ether sent to the contract through Code snippethttps://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1707 https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1766 https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1795 RecommendationThe remaining ether after each operations should be sent back to the user. 3.5. placeABet, Invest and InvestAndPlaySeverity: minor observationDescription
Following the previous points each step allow different token bonuses and ticket number, contract developers should explain their intentions and the users should be informed to avoid confusion. Code snippethttps://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1795#L1803 https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1754#L1780 https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305#file-luckystrike-sol-L1699#L1730 3.6. Known vulnerabilities of ERC-20 tokenSeverity: lowDescription
3.7. Zero address checking requiredSeverity: lowDescriptionNo zero address checking in functions transferFrom, init 3.8. Wrong event namesSeverity: minor observationDescriptionEvent names should start with uppercase letter, but it start with lowercase. 4. ConclusionThe Audited contracts are not fully safe, the contracts developers should take the highlighted issues into consideration. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/1b39d542b89c8462ad258089105db637 https://gist.github.com/yuriy77k/764471730493e66ca9979d7c8b2a65bb https://gist.github.com/yuriy77k/9a8422217622491e4f2c50b73abebe1a |
The payment must be in CLO. The priority fee is 120 000 CLO, please send it to 0x74682fc32007af0b6118f259cbe7bccc21641600 |
3.1. Fallback functionThe ability to receive ETH from any address is left on purpose. 3.2. Truncated Dividends ValueAs we make calculations in Wei, the possible remainder of division is so small that it can be neglected. 3.3. Owner Withdrawal"no ether is supposed to be left if totalSupply is null" - No. Smart contract can still receive ETH, even if all tokens are burned. 3.4. Users Ether LossThis is done deliberately to reduce the amount of gas consumed by this functions. 3.5. placeABet, Invest and InvestAndPlayChanged: In new version of smart contract we have changed the logic of tokens minting. 3.6. Known vulnerabilities of ERC-20 tokenIt's well known vulnerability in approve function of ERC-20 standard.
We add this fuction in order to fully meet the standard, but our frontend does not implement 'approve' functionality. And we can assume that users working with a smart contract, bypassing our front-end, are advanced enough to know about the problem and the correct use of this function. 3.7. Zero address checking requiredVery low severity. It's just a variant of using a wrong address. 3.8. Wrong event namesTrue, but does not affect functionality. |
For this purpose will be better to create a special function. For example:
Its depends on totalSupply value. In common cases, totalSupply values have the same order as balance. Recommend to fix it. |
Audit request
Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’
Source code
https://gist.github.com/yuriy77k/2d80694c23b89c543e832715b0b89305 (Game contract)
https://gist.github.com/yuriy77k/8111757d30637066b3b4bdb60b3525d0 (Tokens contract)
Disclosure policy
You can write about any issues found in code directly in the comments. Thank you.
Platform
ETH
Complexity
Medium
The text was updated successfully, but these errors were encountered: