This document is a security audit report performed by RideSolo, where LuckyStrike has been reviewed.
6 issues were reported:
- 3 medium severity issues.
- 2 low severity issues.
- 2 owner privilege.
let's say that X is the invest and play amount:
-
1/5 will be used to mint tokens ( token price is 0.00015 eth).
-
4/5 will be used on bet (ticket price is 0.02)
-
The value of tokens bought will be (1/5) * X /0.00015. In order to not have truncated value when computing the tokens bought, X has to be a multiple of A that is equal to 0.00015 / (1/5).
-
The value of tickets boughts will be (4/5) * X / 0.02. In order to not have a truncated value when computing the number of ticket bought, X has to be a multiple of B that is equal to 0.02 / (4/5).
Both condition cannot be satisfied at the same time since B is not a multiple of A. the consequences is that either a truncation will happen when computing the bought tokens or when computing the number of tickets to be played.
Also as a reply the the previous comment of the developers "The best way to reduce truncated ether is to solve it at the frontend (allowing user to buy certain amount of tickets), and not to make additional calculations in SC" even the frontend cannot solve this since there is no possible way to meet both conditions.
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1819#L1829
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1827
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1757
Users that play first have more chances to win the jackpot since their addresses will alaways stay elgible for all kind of jackpot, meaning that new comers have less and less chances to win the any kind of jackpot since their address have been present for less time.
This issue is caused by not removing addresses once the a specific jackport type is played.
The number of tickets playing in a jackpot is always set to ticketsTotal, that represent all the past tickets bought, for example a daily jackpot should include tickets that were bought that day only and not the whole tickets bought since the start of the game, the developers should include a range of tickets that can only win following the time when they were bought in accordance to the jackpot type.
The issue will demotivate users to play since they will have less chances to win the jackpot if the ticket list is long enough, also please note that a same ticket can be randomly picked multiple times and be eligible for unlimited jackpot types since the ticket is not removed once he wins.
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2055
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2101
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L2112
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781
If a bet is not played within 255 blocks since the bet was initiated the player won't be eligible to chalange the king of the hill but he will still be eligible for the different jackpots, however the player bet value is not distributed over all different jackpots using allocateSum function as used in here, this issue represent a direct logical error, and also loss for the players that are running for the jackpots.
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1903#L1917
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1649#L1716
The number of tickets that a user can buy is limited by the amount of gas alowed to the transaction and with a maximum of block gas limit since there is a loop that set the lottery tickets theLotteryTicket to their owners one by one.
This issue can just cause transaction throw for out of gas, if the amount of ether to be played is too high.
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1779#L1781
adjustAllocationfunction allows the owner to reset the rates of the different jackpots and income rate as wished.- 70M tokens are first distributed by the owner that represent 10500 ether, the token sale hardcap is 4500 ether, meaning that the developers allow them self more than a third of the total income of the bet game, investors have to be aware of such usage.
https://gist.github.com/RideSolo/6c250a3cd6df86f07c3b5459dbb92283#file-luckystrike-sol-L1591#L1629
https://gist.github.com/RideSolo/6bcabf27e0d738136c4187294b967008#file-lst-sol-L159#L164
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
All highlighted issues should be fixed before deploying the audited contracts.