Lucky Strike v4 #253
Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’
You can write about any issues directly in the comments.
Fixes and changes in LuckyStrike.sol :
Now bets can be played only in sequence - exactly as bets were placed. No possibility to change the order in with bets are played.
see lines 1433-1439
see lines 1479-1482, 2136-2149, 2036
To improve the audit process it would be better auditors to play the game and test it, so auditors can better understand gameplay and check all smart contract cases.
Game is available in Ropsten testnet. Have fun! :)
Number of lines:
LuckyStrike v4 Security Audit Report
2. In scope
In total, 7 issues were reported including:
No critical security issues were found.
3.1. Truncated Value (Invest & Play)
let's say that X is the invest and play amount:
Both condition cannot be satisfied at the same time since B is not a multiple of A. the consequences is that either a truncation will happen when computing the bought tokens or when computing the number of tickets to be played.
Also as a reply the the previous comment of the developers "The best way to reduce truncated ether is to solve it at the frontend (allowing user to buy certain amount of tickets), and not to make additional calculations in SC" even the frontend cannot solve this since there is no possible way to meet both conditions.
3.2. Jackpot Play Logical Error
Users that play first have more chances to win the jackpot since their addresses will always stay eligible for all kind of jackpot, meaning that new comers have less and less chances to win the any kind of jackpot since their address have been present for less time.
This issue is caused by not removing addresses once the a specific jackpot type is played.
The number of tickets playing in a jackpot is always set to ticketsTotal, that represent all the past tickets bought, for example a daily jackpot should include tickets that were bought that day only and not the whole tickets bought since the start of the game, the developers should include a range of tickets that can only win following the time when they were bought in accordance to the jackpot type.
The issue will demotivate users to play since they will have less chances to win the jackpot if the ticket list is long enough, also please note that a same ticket can be randomly picked multiple times and be eligible for unlimited jackpot types since the ticket is not removed once he wins.
3.3. Unplayed Bet
If a bet is not played within 255 blocks since the bet was initiated the player won't be eligible to challenge the king of the hill but he will still be eligible for the different jackpots, however the player bet value is not distributed over all different jackpots using
The player bet should be distributed over all different jackpots using
3.4. Block Gas Limit
The number of tickets that a user can buy is limited by the amount of gas allowed to the transaction and with a maximum of block gas limit since there is a loop that set the lottery tickets
This issue can just cause transaction throw for out of gas, if the amount of ether to be played is too high.
3.5. Owner Privileges
Severity: owner privileges
3.6. Known vulnerabilities of ERC-20 token
3.7. Possibility of minting more than hardCap
The highlighted issues should be fixed before deploying the audited contracts.
5. Revealing audit reports