Lucky Strike v4

[luckystrikeico]

Audit request

Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’

Source code

https://ropsten.etherscan.io/address/0xbce45fee20ebfa7ee8c0e6ee9755753883a48b05#contracts (game contract)

https://ropsten.etherscan.io/address/0x830991dc0bd8250def572bacd01f4c4cacb1fdb7#contracts (tokens contract)

Disclosure policy

You can write about any issues directly in the comments.

Platform

ETH

Previous audit

#219 (comment)

Release notes

Fixes and changes in LuckyStrike.sol :

• Fixed: "3.1. It is possible to use Ahead of The Curve strategy"

Now bets can be played only in sequence - exactly as bets were placed. No possibility to change the order in with bets are played.
see lines 1726-1729, 1746-1751, 1756-1763, 1880-1885, 1921, 1991

• Contract owner can change amount of gas provided to Oraclize. In practice we discovered that the needed amount of gas can vary.

see lines 1433-1439

• If transaction from Oraclize failed, the jackpot can be re-started

see lines 1479-1482, 2136-2149, 2036

Additional notes

To improve the audit process it would be better auditors to play the game and test it, so auditors can better understand gameplay and check all smart contract cases.

Game is available in Ropsten testnet. Have fun! :)

Number of lines:
1644 * 0.5 = 822 (reaudit)

[yuriy77k]

@luckystrikeico We already made two free audits for your smart contract. If you need further audit you have to pay 830 USD.

[luckystrikeico]

@yuriy77k Hi Yuriy, your previous audits was useful, so yes I will pay for audit. Should I pay in CLO?

[yuriy77k]

@luckystrikeico by the current rate you have to send 312000 CLO to 0x74682fc32007af0b6118f259cbe7bccc21641600

[luckystrikeico]

@yuriy77k Yury, I don't have any account on exchanges where CLO is listed. SimpleSwap have huge commissions. So can I pay by BTC?

[yuriy77k]

@luckystrikeico please, send 0.10234 BTC to 38pZdVPQ9eCYVhX4NbYhNr2fZC8dyncRxg

[luckystrikeico]

@yuriy77k done, please pay attention to Additional notes in Audit request. Thank you.

[RideSolo]

Estimated auditing time: 3 days

[yuriy77k]

@RideSolo assigned.

please pay attention to Additional notes in Audit request. Thank you.

[MrCrambo]

Auditing time 3 days

[yuriy77k]

@MrCrambo assigned

please pay attention to Additional notes in Audit request. Thank you.

[gorbunovperm]

Estimated auditing time is 4 days.

[yuriy77k]

@gorbunovperm assigned.

please pay attention to Additional notes in Audit request. Thank you.

[gorbunovperm]

My report is finished.

[ghost]

Estimated audit time 3 days

[yuriy77k]

@codeblcks not assigned. There are three auditors already.

[yuriy77k]

LuckyStrike v4 Security Audit Report

1. Summary

LuckyStrike v4 smart contract security audit report performed by Callisto Security Audit Department

2. In scope

• LuckyStrike.
• LuckStrike Token.

3. Findings

In total, 7 issues were reported including:

• 1 medium severity issues.

• 2 low severity issues.

• 3 notes.

• 1 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).

No critical security issues were found.

3.1. Truncated Value (Invest & Play)

Severity: medium

Description

let's say that X is the invest and play amount:

• 1/5 will be used to mint tokens ( token price is 0.00015 eth).

• 4/5 will be used on bet (ticket price is 0.02)

• The value of tokens bought will be (1/5) * X /0.00015. In order to not have truncated value when computing the tokens bought, X has to be a multiple of A that is equal to 0.00015 / (1/5).

• The value of tickets bought will be (4/5) * X / 0.02. In order to not have a truncated value when computing the number of ticket bought, X has to be a multiple of B that is equal to 0.02 / (4/5).

Both condition cannot be satisfied at the same time since B is not a multiple of A. the consequences is that either a truncation will happen when computing the bought tokens or when computing the number of tickets to be played.

Also as a reply the the previous comment of the developers "The best way to reduce truncated ether is to solve it at the frontend (allowing user to buy certain amount of tickets), and not to make additional calculations in SC" even the frontend cannot solve this since there is no possible way to meet both conditions.

Code snippet

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1819#L1829

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1827

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1757

3.2. Jackpot Play Logical Error

Severity: note

Description

Users that play first have more chances to win the jackpot since their addresses will always stay eligible for all kind of jackpot, meaning that new comers have less and less chances to win the any kind of jackpot since their address have been present for less time.

This issue is caused by not removing addresses once the a specific jackpot type is played.

The number of tickets playing in a jackpot is always set to ticketsTotal, that represent all the past tickets bought, for example a daily jackpot should include tickets that were bought that day only and not the whole tickets bought since the start of the game, the developers should include a range of tickets that can only win following the time when they were bought in accordance to the jackpot type.

The issue will demotivate users to play since they will have less chances to win the jackpot if the ticket list is long enough, also please note that a same ticket can be randomly picked multiple times and be eligible for unlimited jackpot types since the ticket is not removed once he wins.

Code snippet

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2055

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2101

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2112

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781

3.3. Unplayed Bet

Severity: low

Description

If a bet is not played within 255 blocks since the bet was initiated the player won't be eligible to challenge the king of the hill but he will still be eligible for the different jackpots, however the player bet value is not distributed over all different jackpots using allocateSum function as used in here, this issue represent a direct logical error, and also loss for the players that are running for the jackpots.

Code snippet

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1903#L1917

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1649#L1716

Recommendation

The player bet should be distributed over all different jackpots using allocateSum if bet is unplayed. For example in line 1918.

3.4. Block Gas Limit

Severity: note

Description

The number of tickets that a user can buy is limited by the amount of gas allowed to the transaction and with a maximum of block gas limit since there is a loop that set the lottery tickets theLotteryTicket to their owners one by one.

This issue can just cause transaction throw for out of gas, if the amount of ether to be played is too high.

Code snippet

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781

3.5. Owner Privileges

Severity: owner privileges

Description:

• adjustAllocation function allows the owner to reset the rates of the different jackpots and income rate as wished.
• 70M tokens are first distributed by the owner that represent 10500 ether, the token sale hardcap is 4500 ether, meaning that the developers allow them self more than a third of the total income of the bet game, investors have to be aware of such usage.

Code snippet

https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1591#L1629

https://gist.github.com/RideSolo/6bcabf27e0d738136c4187294b967008#file-lst-sol-L159#L164

3.6. Known vulnerabilities of ERC-20 token

Severity: low

Description

1. It is possible to double withdrawal attack. More details here
2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

3.7. Possibility of minting more than hardCap

Severity: note

Description

Function mint allows owner to mint more tokens than hardCap.

Code snippet

https://gist.github.com/RideSolo/6bcabf27e0d738136c4187294b967008#file-lst-sol-L353

4. Conclusion

The highlighted issues should be fixed before deploying the audited contracts.

5. Revealing audit reports

https://gist.github.com/yuriy77k/0ab37d365e5a49864a92065ef977d4b7

https://gist.github.com/yuriy77k/062ccb91ccb0e1ac317969407e40d1c2

https://gist.github.com/yuriy77k/988cf0e4b5da6393442374944deb08ae