Review of Powerball lottery bounty submission

powerball_bounty.md

Review of bounty submission

Bounty: 20 XCP bounty to build the ethereum smart contract logic for a powerball lottery on the blockchain using XCP

https://bitcointalk.org/index.php?topic=395761.msg9753544#msg9753544

Submission by semiel / Peter Borah: https://github.com/PeterBorah/ethereum-powerball

Review by Joris Bontje on https://github.com/PeterBorah/ethereum-powerball/commit/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b

Joris' XCP address 1Gu8Qo7Z87BbAUEp88s5Pgp875RBxUsBw9

0) if someone can write the logic on the lottory using whatever is compatible with what Adam has ported to mimic the powerball lottery.

clarified by PhantomPhreak: The two contracts systems are/will be 100% compatible. Just write PoC-7 Sepent [sic] code.

All contracts compile successfully with Serpent v1.7.6

1) include a section for the instantiator of the contract (lottery) to take a fee

The administrator will make their money from setting the probability and amounts for prize payouts, this is more closely of an implementation that 'taking a fee': https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L101-L120

The administrator can withdraw their cut (any amount) as long as there is no current lotto running: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L122-L130

2) it should be able to handle creating multiple "tickets"

Players can buy tickets directly: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L27-L47

3) it should distribute the winning based on how many numbers people get X of Y numbers (similar to how state lottos work)

Winnings are based on the number of matching balls: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L143-L183

4) it should allow people to send tickets

Tickets can be transfered: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L57-L60

5) it should allow users to redeem tickets

Winning players need to claim their own winnings explicitly: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L83-L95

6) it should set limits for when tickets can be redeemed

No, winnings can be claimed forever (but only once) https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L122-L130

Redemption deadline is configured, but not actually used when tickets are claimed: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L19

7) if no one gets all the numbers the contract should roll over for another time period

Jackpot rolls over with configurable increment: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L200-L203

8) the initiator should be able to choose how many number fields, time block period, and his pay out, and possibly the distribution logic (if you want to get fancy).

Except for field numbers (as mentioned by semiel in his submission), the time block periods and payouts are configurable: https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L14-L25 https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L101-L120

9) it should be open source on github

Yes, availabe on GitHub under MIT license https://github.com/PeterBorah/ethereum-powerball

10) one of the XCP dev's need to look at it and say that the code is good (or a known, respected Ethereum dev)

The intent of the code is good, but in the implementation I have identified a couple flaws:

• As stated under 6, the redemption deadline isn't fully implemented. This is problematic as it conflicts with the administrator being able to withdraw funds after the deadline.
• Winning numbers can be redrawn multiple times after the lottery deadline, potentially overriding previous drawings. https://github.com/PeterBorah/ethereum-powerball/blob/1a523c67dd7db7833c57c5d1c9fdb2a6f3acfc5b/contracts/lotto.se#L62-L81 As this can be triggered by anyone this is a serious concern. Suggested is to 'freeze' the lottery after the lottery deadline until the redemption deadline has expired as well.
• Relying on block.prevhash is a security risk as this can be abused by miners / mining pools using a block withholding attack. If this is a real threat depends on the payout amount of the lotto. Since the RNG is configurable, I'd consider this to be currently good enough for the bounty.

Minor feedback for improvement:

• use def init for automatic initialization upon contract creation
• specify explicitly in requirements.txt which pyethereum / ethereum-serpent library are supported
• create user interface ;)

hey FYI, i did not have explicit donation for the code reviewer but I have asked Peter, once he gets the donations from the people who pledged if he would consider sharing some with you. If you could please add your XCP/BTC address to this github.com page.

https://bitcointalk.org/index.php?topic=395761.msg9782323#msg9782323

Thanks again for this very thorough review and recommendations. In the future, as I do these donations/bounties with some of my trading profits, I will make sure to allocate some percentage to the reviewer.