Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lucky Strike v3 #219

Closed
8 of 9 tasks
luckystrikeico opened this issue Apr 18, 2019 · 9 comments
Closed
8 of 9 tasks

Lucky Strike v3 #219

luckystrikeico opened this issue Apr 18, 2019 · 9 comments
Labels
approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language.

Comments

@luckystrikeico
Copy link

luckystrikeico commented Apr 18, 2019
edited by yuriy77k
Loading

Audit request

Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’

Source code

https://ropsten.etherscan.io/address/0x78c32ffb7d209457a75e6c25854f19de58d64a4b#code (game contract)

https://ropsten.etherscan.io/address/0xfd9f46d87625f1f8ee06fdb7f5e93c745005aae2#code (tokens contract)

Disclosure policy

You can write about any issues directly in the comments.

Platform

ETH

Previous audit

#152 (comment)

Release notes

  • record the number of block on which current king become a king (please note that in the same block can be other victories of this king found)
  • record previous king as the first victory of a new king
  • change accounts for funds and team tokens

Changes after previous audit:

  • 3.1. No Distributed Dividends > rename functions and variables from 'dividends' to 'income'
  • 3.6. Max Block Number difference > change from 250 to 255
  • won't fix: add to transfer(_to address, ...) : require( _to != address(this) );
  • 3.8. Front-Running attack
  • 3.9. Zero address checking required
  • 3.10. Wrong function name

Number of lines:

1618 * 0.5 (reaudit coeficient) = 809
@luckystrikeico
Copy link
Author

luckystrikeico commented Apr 24, 2019
edited
Loading

Hello, @yuriy77k ! Could you please read our reply on previous audit and check latest version of contract with fixes to confirm that everything is fine.

Thank you!

@yuriy77k yuriy77k added approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language. labels Apr 24, 2019
@MrCrambo
Copy link

Auditing time 3 days

@danbogd
Copy link

danbogd commented Apr 25, 2019

Auditing time: 3 days

@yuriy77k
Copy link
Contributor

@MrCrambo @danbogd assigned

@gorbunovperm
Copy link

Estimated auditing time is 3 days.

@yuriy77k
Copy link
Contributor

@gorbunovperm assigned

@danbogd
Copy link

danbogd commented Apr 26, 2019

My report is finished.

1 similar comment
@gorbunovperm
Copy link

My report is finished.

@yuriy77k
Copy link
Contributor

yuriy77k commented May 4, 2019

Lucky Strike v3 Security Audit Report

1. Summary

Lucky Strike v3 smart contract security audit report performed by Callisto Security Audit Department

2. In scope

  1. LuckyStrike
  2. LuckyStrikeTokens

3. Findings

In total, 3 issues were reported including:

  • 1 medium severity issues.

  • 1 notes.

  • 1 owner privileges (ability of owner to manipulate contract, may be risky for investors).

No critical security issues were found.

3.1. It is possible to use Ahead of The Curve strategy

Severity: medium

Description

Formula of the random calculation is:

    bytes32 seed = keccak256(
        block.blockhash(lastInstantGameBlockNumber[player])
    );

    uint256 randomNumber = uint256(seed) % ticketsInTheInstantGame;

The result of the player's fight with the King of the hill is known immediately after the player has placed a bet. But the result will be applied only after calling the play method. This way different players can use information about bets(and block hashes) for their own profit.

  • For example, the King of the hill can choose to fight with the enemy(among the few players who made bets) which will lose(the king knows the result in advance) and call play(looser_address) method. Thus, he can choose the order of battles, first collecting winnings, and then losing.

  • Another case if attacker is player. Knowing that he will win the King of the mountain(and he can find out), attacker initiates a fight with King ahead of other players. Further acting in accordance with paragraph 1. Or if attacker knows he's going to lose to the King, that he can wait for someone to fight with King and when the new King comes up the hill, fight him.

Code snippet

Recommendation

There should not be a gap between reliable information that someone won between the fact of this. A good solution would be to play all the instant games in the first block after the any bet. Even if there were several bets in one block, they all need to be played at the first next appeal to the contract.

3.2. Possibility of minting more than hardCap

Severity: note

Description

Function mint allows owner to mint more tokens than hardCap.

Code snippet

Recommendation

You should check (invested + _invested) > hardCap before minting and if it's true, mint only hardCap - invested number of tokens and return remainder to investor.

3.3. Owner Privileges

Severity: owner privileges

Description

adjustAllocation function allows the owner to reset the rates of the different jackpots and income rate.

Code snippet

4. Conclusion

The audited smart contract must not be deployed. Medium severity issue must be fixed prior to the usage of this contract.

5. Revealing audit reports

https://gist.github.com/yuriy77k/499ce0873c5827863c85ec75aded02cc

https://gist.github.com/yuriy77k/7272da582aff4271a908ca106ef9086d

https://gist.github.com/yuriy77k/e4b4e4f96d65e67683fcf76ba1967ff6

@yuriy77k yuriy77k closed this as completed May 4, 2019
@luckystrikeico luckystrikeico mentioned this issue May 21, 2019
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MrCrambo @danbogd @gorbunovperm @yuriy77k @luckystrikeico