Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lucky Strike v3 #219

Closed
luckystrikeico opened this issue Apr 18, 2019 · 9 comments

Comments

Projects
None yet
5 participants
@luckystrikeico
Copy link

commented Apr 18, 2019

Audit request

Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’

Source code

https://ropsten.etherscan.io/address/0x78c32ffb7d209457a75e6c25854f19de58d64a4b#code (game contract)

https://ropsten.etherscan.io/address/0xfd9f46d87625f1f8ee06fdb7f5e93c745005aae2#code (tokens contract)

Disclosure policy

You can write about any issues directly in the comments.

Platform

ETH

Previous audit

#152 (comment)

Release notes

  • record the number of block on which current king become a king (please note that in the same block can be other victories of this king found)
  • record previous king as the first victory of a new king
  • change accounts for funds and team tokens

Changes after previous audit:

  • 3.1. No Distributed Dividends > rename functions and variables from 'dividends' to 'income'
  • 3.6. Max Block Number difference > change from 250 to 255
  • won't fix: add to transfer(_to address, ...) : require( _to != address(this) );
  • 3.8. Front-Running attack
  • 3.9. Zero address checking required
  • 3.10. Wrong function name

Number of lines:

1618 * 0.5 (reaudit coeficient) = 809

@luckystrikeico

This comment has been minimized.

Copy link
Author

commented Apr 24, 2019

Hello, @yuriy77k ! Could you please read our reply on previous audit and check latest version of contract with fixes to confirm that everything is fine.

Thank you!

@MrCrambo

This comment has been minimized.

Copy link

commented Apr 25, 2019

Auditing time 3 days

@danbogd

This comment has been minimized.

Copy link

commented Apr 25, 2019

Auditing time: 3 days

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Apr 25, 2019

@MrCrambo @danbogd assigned

@gorbunovperm

This comment has been minimized.

Copy link

commented Apr 26, 2019

Estimated auditing time is 3 days.

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Apr 26, 2019

@gorbunovperm assigned

@danbogd

This comment has been minimized.

Copy link

commented Apr 26, 2019

My report is finished.

1 similar comment
@gorbunovperm

This comment has been minimized.

Copy link

commented Apr 29, 2019

My report is finished.

@yuriy77k

This comment has been minimized.

Copy link
Member

commented May 4, 2019

Lucky Strike v3 Security Audit Report

1. Summary

Lucky Strike v3 smart contract security audit report performed by Callisto Security Audit Department

2. In scope

  1. LuckyStrike
  2. LuckyStrikeTokens

3. Findings

In total, 3 issues were reported including:

  • 1 medium severity issues.

  • 1 notes.

  • 1 owner privileges (ability of owner to manipulate contract, may be risky for investors).

No critical security issues were found.

3.1. It is possible to use Ahead of The Curve strategy

Severity: medium

Description

Formula of the random calculation is:

    bytes32 seed = keccak256(
        block.blockhash(lastInstantGameBlockNumber[player])
    );

    uint256 randomNumber = uint256(seed) % ticketsInTheInstantGame;

The result of the player's fight with the King of the hill is known immediately after the player has placed a bet. But the result will be applied only after calling the play method. This way different players can use information about bets(and block hashes) for their own profit.

  • For example, the King of the hill can choose to fight with the enemy(among the few players who made bets) which will lose(the king knows the result in advance) and call play(looser_address) method. Thus, he can choose the order of battles, first collecting winnings, and then losing.

  • Another case if attacker is player. Knowing that he will win the King of the mountain(and he can find out), attacker initiates a fight with King ahead of other players. Further acting in accordance with paragraph 1. Or if attacker knows he's going to lose to the King, that he can wait for someone to fight with King and when the new King comes up the hill, fight him.

Code snippet

Recommendation

There should not be a gap between reliable information that someone won between the fact of this. A good solution would be to play all the instant games in the first block after the any bet. Even if there were several bets in one block, they all need to be played at the first next appeal to the contract.

3.2. Possibility of minting more than hardCap

Severity: note

Description

Function mint allows owner to mint more tokens than hardCap.

Code snippet

Recommendation

You should check (invested + _invested) > hardCap before minting and if it's true, mint only hardCap - invested number of tokens and return remainder to investor.

3.3. Owner Privileges

Severity: owner privileges

Description

adjustAllocation function allows the owner to reset the rates of the different jackpots and income rate.

Code snippet

4. Conclusion

The audited smart contract must not be deployed. Medium severity issue must be fixed prior to the usage of this contract.

5. Revealing audit reports

https://gist.github.com/yuriy77k/499ce0873c5827863c85ec75aded02cc

https://gist.github.com/yuriy77k/7272da582aff4271a908ca106ef9086d

https://gist.github.com/yuriy77k/e4b4e4f96d65e67683fcf76ba1967ff6

@yuriy77k yuriy77k closed this May 4, 2019

@luckystrikeico luckystrikeico referenced this issue May 21, 2019

Closed

Lucky Strike v4 #253

3 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.