-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lucky Strike v2 #152
Comments
@luckystrikeico the priority fee is 120 000 CLO, please send it to 0x74682fc32007af0b6118f259cbe7bccc21641600 |
@yuriy77k I gave an explanation regarding the reported issues and I would like you to keep this explanations in mind when you audit the new version of the contract. I'll pay for the audit today, |
@yuriy77k I’ve paid for the audit, but before you start, I would like to fix issues discovered during previous audit. As soon as I publish the new version of the contract I’ll let you know so you can start auditing. Thank you. |
@luckystrikeico Ok, thank you. |
@yuriy77k Hi Yuriy, I've just deployed a new version of the contract on Ropsten, so you can start audit. |
Auditors, please, take this High priority contract. |
Auditing time 4 days |
Estimated auditing time is 6 days. |
@MrCrambo @gorbunovperm assigned |
Audit time: 4 days. |
@RideSolo assigned |
My report is finished. |
Security Audit Report1. SummaryLucky Strike v2 Game contract and Tokens contract security audit report performed by Callisto Security Audit Department 2. In scope3. FindingsIn total, 11 issues were reported including:
3.1. No Distributed DividendsSeverity: mediumDescriptionFollowing the name
Please note that the game contract income are sent to the token contract through this function.
Code snippethttps://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L188 3.2. Truncated Users Ticket EtherSeverity: lowDescriptionAs described previously here, and even as explained by the developers the remaining ether is not sent back because of gas optimization, the issue is still applicable. The ticket price is set to be equal to 0.02 ether:
equivalent to 2.7702 USD at the moment of writing, , knowing that a transfer function consume 2100 gas and supposing gas price to be set to 20gwei the amount to be saved will be 0.00000276 USD at the moment of writing. Please note that the truncated ether will be lost in the contract itself. Code snippethttps://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1404 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1733 3.3. Truncated Investors Token ValueSeverity: mediumDescriptionLucky strike token decimals value is equal to zero, which means that no value after the decimal point is saved. As a similar issue to 3.2 when computing the token to mint for an investor, the fifth of the sent value when calling
Code snippethttps://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1782 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1797 3.4. Owner PrivilegesSeverity: mediumDescription
Code snippet3.5. Game Contract InitSeverity: lowDescriptionThe ether sent through Code snippethttps://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1499 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1506 3.6. Max Block Number differenceSeverity: minor observationDescriptionSince the bet is placed, the users cannot wait more than 256 blocks to play it otherwise the blockhash used as seed will be zero, however the maximum number of block allowed since the last bet is set to 250 which is reducing the playing time of the users by 6 blocks, This logic is penalizing the users with no direct reason. Code snippethttps://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1906 RecommendationThe condition should be changed to be less than 256. 3.7. Known vulnerabilities of ERC-20 tokenSeverity: lowDescription
RecommendationAdd the following code to the
3.8. Front-Running attackSeverity: highDescriptionThe calculation of the jackpot winner in this contract is done with the help of oraclize. Calling the // _result -- argument of __callback function
bytes32 hashOfTheRandomString = keccak256(_result);
uint256 randomNumberSeed = uint256(hashOfTheRandomString);
uint256 randomNumber = randomNumberSeed % ticketsTotal;
address winner = theLotteryTicket[randomNumber]; Thus knowing the random number, and changing the Code snippethttps://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L2091 RecommendationForm the list of participants of the jackpot in 3.9. Zero address checking requiredSeverity: lowDescriptionIn functions Code snippethttps://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L133 https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945#file-luckystrike_v2-sol-L1499 RecommendationAdd zero address checking. require(luckyStrikeContractAddress != address(0)); 3.10. Wrong function nameSeverity: minor observationDescriptionAs mentioned in function name Code snippethttps://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L188 3.11. Possibility of minting more than hardCapSeverity: lowDescriptionIn function Code snippethttps://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18#file-luckystriketokens_v2-sol-L329 RecommendationYou should check 4. ConclusionThe audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/ec08e4dc98ad15d3acf5f98fa46698f8 https://gist.github.com/yuriy77k/390c1e56bad8cfea523d27e9441a026d https://gist.github.com/yuriy77k/027c72baabd8c4193dca80024a3b2758 |
3.1. No Distributed DividendsIt's not about the code, it’s about economics. This all will be explicitly described on the ICO website. 3.2. Truncated Users Ticket EtherGas optimization here was not about saving the gas needed to pay ETH back, it was about the general level of the contract complication and number of variables. 3.3. Truncated Investors Token Valuethe same idea as for 3.2 3.4.Developers and investors have the same interests here. Investors can not loose because the developer is able to change the rates of the different jackpots and the income rate. 3.5. Game Contract Init'init' function is called one time only, immediately after deploying contract, and by the developer only. 3.6. Max Block Number differenceWill be fixed. 3.7. Known vulnerabilities of ERC-20 token
So we just follow the standard ("The contract itself shouldn’t enforce it, to allow backwards compatibility with contracts deployed before") We choose not to allow web interface users to use 'approve' at all.
Because in our smart contract we already handle the case that tokens sent to smart contract itself
3.8. Front-Running attackWill be fixed 3.9. Zero address checking requiredSame as 3.5 3.10. Wrong function nameWill be fixed 3.11. Possibility of minting more than hardCapWe know it's possible. But we don’t see a problem here. |
As soon as I deploy updated version of the contract I’ll create new audit request. |
Audit request
Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’
Source code
https://gist.github.com/yuriy77k/769fc987f0e7680c70255ff999aa2945 = Game contract
https://gist.github.com/yuriy77k/0dd00c458d10ecc40dc553eafe4c7a18 = Tokens contract
Disclosure policy
You can write about any issues directly in the comments.
Platform
ETH
Number of lines:
1612
The text was updated successfully, but these errors were encountered: