New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lucky Strike v4 #253
Comments
@luckystrikeico We already made two free audits for your smart contract. If you need further audit you have to pay 830 USD. |
@yuriy77k Hi Yuriy, your previous audits was useful, so yes I will pay for audit. Should I pay in CLO? |
@luckystrikeico by the current rate you have to send 312000 CLO to 0x74682fc32007af0b6118f259cbe7bccc21641600 |
@yuriy77k Yury, I don't have any account on exchanges where CLO is listed. SimpleSwap have huge commissions. So can I pay by BTC? |
@luckystrikeico please, send 0.10234 BTC to 38pZdVPQ9eCYVhX4NbYhNr2fZC8dyncRxg |
@yuriy77k done, please pay attention to Additional notes in Audit request. Thank you. |
Estimated auditing time: 3 days |
@RideSolo assigned.
|
Auditing time 3 days |
@MrCrambo assigned
|
Estimated auditing time is 4 days. |
@gorbunovperm assigned.
|
My report is finished. |
Estimated audit time 3 days |
@codeblcks not assigned. There are three auditors already. |
LuckyStrike v4 Security Audit Report1. SummaryLuckyStrike v4 smart contract security audit report performed by Callisto Security Audit Department 2. In scope3. FindingsIn total, 7 issues were reported including:
No critical security issues were found. 3.1. Truncated Value (Invest & Play)Severity: mediumDescriptionlet's say that X is the invest and play amount:
Both condition cannot be satisfied at the same time since B is not a multiple of A. the consequences is that either a truncation will happen when computing the bought tokens or when computing the number of tickets to be played. Also as a reply the the previous comment of the developers "The best way to reduce truncated ether is to solve it at the frontend (allowing user to buy certain amount of tickets), and not to make additional calculations in SC" even the frontend cannot solve this since there is no possible way to meet both conditions. Code snippethttps://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1819#L1829 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1827 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1757 3.2. Jackpot Play Logical ErrorSeverity: noteDescriptionUsers that play first have more chances to win the jackpot since their addresses will always stay eligible for all kind of jackpot, meaning that new comers have less and less chances to win the any kind of jackpot since their address have been present for less time. This issue is caused by not removing addresses once the a specific jackpot type is played. The number of tickets playing in a jackpot is always set to ticketsTotal, that represent all the past tickets bought, for example a daily jackpot should include tickets that were bought that day only and not the whole tickets bought since the start of the game, the developers should include a range of tickets that can only win following the time when they were bought in accordance to the jackpot type. The issue will demotivate users to play since they will have less chances to win the jackpot if the ticket list is long enough, also please note that a same ticket can be randomly picked multiple times and be eligible for unlimited jackpot types since the ticket is not removed once he wins. Code snippethttps://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2055 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2101 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2112 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781 3.3. Unplayed BetSeverity: lowDescriptionIf a bet is not played within 255 blocks since the bet was initiated the player won't be eligible to challenge the king of the hill but he will still be eligible for the different jackpots, however the player bet value is not distributed over all different jackpots using Code snippethttps://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1903#L1917 https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1649#L1716 RecommendationThe player bet should be distributed over all different jackpots using 3.4. Block Gas LimitSeverity: noteDescriptionThe number of tickets that a user can buy is limited by the amount of gas allowed to the transaction and with a maximum of block gas limit since there is a loop that set the lottery tickets This issue can just cause transaction throw for out of gas, if the amount of ether to be played is too high. Code snippethttps://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781 3.5. Owner PrivilegesSeverity: owner privilegesDescription:
Code snippethttps://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1591#L1629 https://gist.github.com/RideSolo/6bcabf27e0d738136c4187294b967008#file-lst-sol-L159#L164 3.6. Known vulnerabilities of ERC-20 tokenSeverity: lowDescription
3.7. Possibility of minting more than hardCapSeverity: noteDescriptionFunction Code snippethttps://gist.github.com/RideSolo/6bcabf27e0d738136c4187294b967008#file-lst-sol-L353 4. ConclusionThe highlighted issues should be fixed before deploying the audited contracts. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/0ab37d365e5a49864a92065ef977d4b7 https://gist.github.com/yuriy77k/062ccb91ccb0e1ac317969407e40d1c2 https://gist.github.com/yuriy77k/988cf0e4b5da6393442374944deb08ae |
Audit request
Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’
Source code
https://ropsten.etherscan.io/address/0xbce45fee20ebfa7ee8c0e6ee9755753883a48b05#contracts (game contract)
https://ropsten.etherscan.io/address/0x830991dc0bd8250def572bacd01f4c4cacb1fdb7#contracts (tokens contract)
Disclosure policy
You can write about any issues directly in the comments.
Platform
ETH
Previous audit
#219 (comment)
Release notes
Fixes and changes in LuckyStrike.sol :
Now bets can be played only in sequence - exactly as bets were placed. No possibility to change the order in with bets are played.
see lines 1726-1729, 1746-1751, 1756-1763, 1880-1885, 1921, 1991
see lines 1433-1439
see lines 1479-1482, 2136-2149, 2036
Additional notes
To improve the audit process it would be better auditors to play the game and test it, so auditors can better understand gameplay and check all smart contract cases.
Game is available in Ropsten testnet. Have fun! :)
Number of lines:
1644 * 0.5 = 822 (reaudit)
The text was updated successfully, but these errors were encountered: